Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VSLS SCHEDULE_pdf.exe

Overview

General Information

Sample name:VSLS SCHEDULE_pdf.exe
Analysis ID:1585951
MD5:ea999998326f1b7061dfcf2def8e1d1b
SHA1:513f32a0d21c87ebe413c7cf3cbc99138ec374c5
SHA256:abc0b5e65132918208e06122ecfe2172c468494da7b0e48cc40f8475138153b2
Tags:exeuser-James_inthe_box
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VSLS SCHEDULE_pdf.exe (PID: 5720 cmdline: "C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe" MD5: EA999998326F1B7061DFCF2DEF8E1D1B)
    • VSLS SCHEDULE_pdf.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe" MD5: EA999998326F1B7061DFCF2DEF8E1D1B)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "export.dryer@friuleir.com", "Password": "Godisgood101", "Server": "us2.smtp.mailhostbox.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefdf:$a1: get_encryptedPassword
        • 0xf307:$a2: get_encryptedUsername
        • 0xed7a:$a3: get_timePasswordChanged
        • 0xee9b:$a4: get_passwordField
        • 0xeff5:$a5: set_encryptedPassword
        • 0x10951:$a7: get_logins
        • 0x10602:$a8: GetOutlookPasswords
        • 0x103f4:$a9: StartKeylogger
        • 0x108a1:$a10: KeyLoggerEventArgs
        • 0x10451:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd3df:$a1: get_encryptedPassword
                • 0xd707:$a2: get_encryptedUsername
                • 0xd17a:$a3: get_timePasswordChanged
                • 0xd29b:$a4: get_passwordField
                • 0xd3f5:$a5: set_encryptedPassword
                • 0xed51:$a7: get_logins
                • 0xea02:$a8: GetOutlookPasswords
                • 0xe7f4:$a9: StartKeylogger
                • 0xeca1:$a10: KeyLoggerEventArgs
                • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x12371:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x1186f:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11b7d:$a4: \Orbitum\User Data\Default\Login Data
                • 0x12975:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 20 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T15:06:55.926592+010028032742Potentially Bad Traffic192.168.2.549706193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: VSLS SCHEDULE_pdf.exeAvira: detected
                Found malware configuration
                Source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "export.dryer@friuleir.com", "Password": "Godisgood101", "Server": "us2.smtp.mailhostbox.com", "Port": 587}
                Multi AV Scanner detection for submitted file
                Source: VSLS SCHEDULE_pdf.exeReversingLabs: Detection: 52%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: VSLS SCHEDULE_pdf.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.0
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010321287.0000000002F71000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 00DF5782h2_2_00DF5367
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 00DF51B9h2_2_00DF4F08
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 00DF5782h2_2_00DF56AF
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C1935h2_2_011C15F8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CEBD0h2_2_011CE928
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CCC30h2_2_011CC988
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C1449h2_2_011C11A0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CF480h2_2_011CF1D8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CBAD0h2_2_011CB828
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C02E9h2_2_011C0040
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CE320h2_2_011CE078
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C4350h2_2_011C40A8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CC380h2_2_011CC0D8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C0B99h2_2_011C08F0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CADC8h2_2_011CAB20
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C3648h2_2_011C33A0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CB678h2_2_011CB3D0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CD4E0h2_2_011CD238
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CA518h2_2_011CA270
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CFD30h2_2_011CFA88
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C2D98h2_2_011C2AF0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CC7D8h2_2_011CC530
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C0FF1h2_2_011C0D48
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CF028h2_2_011CED80
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CD088h2_2_011CCDE0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CDEC8h2_2_011CDC20
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C3EF8h2_2_011C3C50
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C0741h2_2_011C0498
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CBF28h2_2_011CBC80
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CA0C0h2_2_011C9CA0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CE778h2_2_011CE4D0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C31F0h2_2_011C2F48
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CB220h2_2_011CAF78
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011C3AA0h2_2_011C37F8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CF8D8h2_2_011CF630
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CD93Ah2_2_011CD690
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 4x nop then jmp 011CA970h2_2_011CA6C8
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.130.0:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.0000000002742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000277B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000277B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: VSLS SCHEDULE_pdf.exe
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 0_2_0144E0840_2_0144E084
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 0_2_091517200_2_09151720
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFC1682_2_00DFC168
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DF27B92_2_00DF27B9
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFCAB02_2_00DFCAB0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DF2DD12_2_00DF2DD1
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DF7E682_2_00DF7E68
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DF4F082_2_00DF4F08
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFB9E02_2_00DFB9E0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFCAAF2_2_00DFCAAF
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DF4EF82_2_00DF4EF8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DF7E672_2_00DF7E67
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C6A202_2_011C6A20
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C45002_2_011C4500
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C15F82_2_011C15F8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C1C582_2_011C1C58
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C77802_2_011C7780
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CE9282_2_011CE928
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CE9222_2_011CE922
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CC97A2_2_011CC97A
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C118F2_2_011C118F
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CC9882_2_011CC988
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C11A02_2_011C11A0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CF1D82_2_011CF1D8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CF1C82_2_011CF1C8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CB8182_2_011CB818
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C00322_2_011C0032
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CB8282_2_011CB828
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C00402_2_011C0040
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CE0782_2_011CE078
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CE0682_2_011CE068
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C40982_2_011C4098
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C40A82_2_011C40A8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C08DF2_2_011C08DF
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CC0D82_2_011CC0D8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CC0CE2_2_011CC0CE
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C08F02_2_011C08F0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CAB102_2_011CAB10
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CAB202_2_011CAB20
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C33912_2_011C3391
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C33A02_2_011C33A0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CB3D02_2_011CB3D0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CB3C12_2_011CB3C1
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CD2382_2_011CD238
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CD2322_2_011CD232
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CFA782_2_011CFA78
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CA2702_2_011CA270
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CA2612_2_011CA261
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CFA882_2_011CFA88
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C2AF02_2_011C2AF0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C2AE02_2_011C2AE0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C0D3A2_2_011C0D3A
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CC5302_2_011CC530
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CC52A2_2_011CC52A
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C0D482_2_011C0D48
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CED702_2_011CED70
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CED802_2_011CED80
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CCDDA2_2_011CCDDA
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C15EA2_2_011C15EA
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CCDE02_2_011CCDE0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CDC112_2_011CDC11
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CDC202_2_011CDC20
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C3C502_2_011C3C50
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C1C4A2_2_011C1C4A
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C3C412_2_011C3C41
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CBC712_2_011CBC71
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C04982_2_011C0498
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C048A2_2_011C048A
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CBC802_2_011CBC80
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C9CA02_2_011C9CA0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CE4D02_2_011CE4D0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CE4C02_2_011CE4C0
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C2F382_2_011C2F38
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C2F482_2_011C2F48
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CAF782_2_011CAF78
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CAF682_2_011CAF68
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C37F82_2_011C37F8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011C37E82_2_011C37E8
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CF6302_2_011CF630
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CF6202_2_011CF620
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CD6902_2_011CD690
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CD6812_2_011CD681
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CA6B92_2_011CA6B9
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_011CA6C82_2_011CA6C8
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVebinace.dll2 vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2009598984.00000000010AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010321287.0000000002F71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000000.2003354915.0000000000AA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNone.exe* vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010321287.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010321287.0000000002FEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242189429.0000000000537000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242535570.00000000006B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.000000000055A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exeBinary or memory string: OriginalFilenameNone.exe* vs VSLS SCHEDULE_pdf.exe
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: VSLS SCHEDULE_pdf.exe, Form1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, AirFilter.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, AirFilter.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, EngineBlock.csSuspicious method names: .EngineBlock.FuelInjectionType
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.InjectorType
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.AreInjectorsClogged
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.InjectorDutyCycle
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.InjectorFlowRate
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.InjectorType
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.AreInjectorsClogged
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.InjectorDutyCycle
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, FuelInjector.csSuspicious method names: .FuelInjector.InjectorFlowRate
                Source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, EngineBlock.csSuspicious method names: .EngineBlock.FuelInjectionType
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VSLS SCHEDULE_pdf.exe.logJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMutant created: NULL
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: VSLS SCHEDULE_pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3244407948.000000000370D000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000027CE000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000027DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: VSLS SCHEDULE_pdf.exeReversingLabs: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe "C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe"
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess created: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe "C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe"
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess created: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe "C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010321287.0000000002F71000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: VSLS SCHEDULE_pdf.exe, Form1.cs.Net Code: Form1_Load System.Reflection.Assembly.Load(byte[])
                Source: VSLS SCHEDULE_pdf.exe, Form1.cs.Net Code: Form1_Load
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: 0x827F415A [Thu May 19 00:31:22 2039 UTC]
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFF273 push ebp; retf 2_2_00DFF281
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFB544 push eax; retf 2_2_00DFB545
                Source: VSLS SCHEDULE_pdf.exeStatic PE information: section name: .text entropy: 7.7580330271790805
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: 1440000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe TID: 6776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242535570.00000000006E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeCode function: 2_2_00DFC168 LdrInitializeThunk,LdrInitializeThunk,2_2_00DFC168
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.VSLS SCHEDULE_pdf.exe.2fd28b4.1.raw.unpack, EngineAlgorithm.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.VSLS SCHEDULE_pdf.exe.2fd28b4.1.raw.unpack, EngineAlgorithm.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeProcess created: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe "C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3243663897.0000000002834000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.VSLS SCHEDULE_pdf.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.400e220.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fcd1b0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VSLS SCHEDULE_pdf.exe.3fa3380.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 5720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VSLS SCHEDULE_pdf.exe PID: 7164, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                Input Capture                		1
                Security Software Discovery                		Remote Desktop Protocol1
                Input Capture                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares11
                Archive Collected Data                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object Model1
                Data from Local System                		13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                VSLS SCHEDULE_pdf.exe53%ReversingLabsByteCode-MSIL.Trojan.MassloggerRAT
                VSLS SCHEDULE_pdf.exe100%AviraHEUR/AGEN.1306813
                VSLS SCHEDULE_pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		188.114.96.3
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189lVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comdVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.org/qVSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://reallyfreegeoip.orgdVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000277B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://reallyfreegeoip.org/xml/8.46.123.189dVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000277B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.orgdVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://reallyfreegeoip.orgVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.orgVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.0000000002742000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.comVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.org/dVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.00000000026E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot-/sendDocument?chat_id=VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://reallyfreegeoip.org/xml/VSLS SCHEDULE_pdf.exe, 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, VSLS SCHEDULE_pdf.exe, 00000002.00000002.3243663897.000000000275E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      188.114.96.3
                                                      		reallyfreegeoip.orgEuropean Union
                                                      		13335CLOUDFLARENETUSfalse
                                                      193.122.130.0
                                                      		checkip.dyndns.comUnited States
                                                      		31898ORACLE-BMC-31898USfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1585951
                                                      Start date and time:2025-01-08 15:06:06 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 3s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:6
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:VSLS SCHEDULE_pdf.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 51
                                                      • Number of non-executed functions: 35
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.56.254.164, 172.202.163.200, 13.107.253.45
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      • VT rate limit hit for: VSLS SCHEDULE_pdf.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      188.114.96.3GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                                                      • /api/get/dll
                                                      Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                      QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • filetransfer.io/data-package/u7ghXEYp/download
                                                      CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                      • www.mffnow.info/1a34/
                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                      • www.mydreamdeal.click/1ag2/
                                                      SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.questmatch.pro/ipd6/
                                                      QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • filetransfer.io/data-package/I7fmQg9d/download
                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                      • www.rtpwslot888gol.sbs/jmkz/
                                                      QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • filetransfer.io/data-package/Bh1Kj4RD/download
                                                      http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                      • kklk16.bsyo45ksda.top/favicon.ico
                                                      193.122.130.0ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                      • checkip.dyndns.org/
                                                      MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      reallyfreegeoip.orgungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 188.114.96.3
                                                      fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.97.3
                                                      Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.97.3
                                                      New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                      • 188.114.97.3
                                                      ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.97.3
                                                      MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.97.3
                                                      FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.97.3
                                                      document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.96.3
                                                      fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.96.3
                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.97.3
                                                      checkip.dyndns.comungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.130.0
                                                      fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 132.226.247.73
                                                      Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 132.226.247.73
                                                      New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.8.169
                                                      MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 132.226.247.73
                                                      FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 158.101.44.242
                                                      document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.8.169
                                                      fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.247.73

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 104.21.53.168
                                                      Selvi Payroll Benefits & Bonus Agreementfdp.pdfGet hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fdeGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      Your Google Account has been deleted due to Terms of Service violations.emlGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      https://jmak-service.com/3225640388Get hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      malw.htaGet hashmaliciousBranchlock ObfuscatorBrowse
                                                      • 162.159.61.3
                                                      web55.mp4.htaGet hashmaliciousLummaCBrowse
                                                      • 188.114.97.3
                                                      Rgr8LJz.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.4.114
                                                      06012025_1416_bombastic.htaGet hashmaliciousBranchlock ObfuscatorBrowse
                                                      • 172.64.41.3
                                                      malw.htaGet hashmaliciousUnknownBrowse
                                                      • 162.159.61.3
                                                      ORACLE-BMC-31898USungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.130.0
                                                      miori.x86.elfGet hashmaliciousUnknownBrowse
                                                      • 140.204.251.205
                                                      New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                      • 193.122.130.0
                                                      FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 158.101.44.242
                                                      fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      Fantazy.i686.elfGet hashmaliciousUnknownBrowse
                                                      • 193.123.7.176
                                                      fuckunix.spc.elfGet hashmaliciousMiraiBrowse
                                                      • 144.25.181.0
                                                      PO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                      • 158.101.44.242
                                                      test.exeGet hashmaliciousUnknownBrowse
                                                      • 130.61.86.87

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      54328bd36c14bd82ddaa0c04b25ed9adungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 188.114.96.3
                                                      fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.96.3
                                                      Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.96.3
                                                      New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                      • 188.114.96.3
                                                      ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.96.3
                                                      MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.96.3
                                                      FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 188.114.96.3
                                                      document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.96.3
                                                      fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.96.3
                                                      yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 188.114.96.3

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VSLS SCHEDULE_pdf.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1119
                                                      Entropy (8bit):5.345080863654519
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                      MD5:88593431AEF401417595E7A00FE86E5F
                                                      SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                      SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                      SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.747012057708558
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:VSLS SCHEDULE_pdf.exe
                                                      File size:217'088 bytes
                                                      MD5:ea999998326f1b7061dfcf2def8e1d1b
                                                      SHA1:513f32a0d21c87ebe413c7cf3cbc99138ec374c5
                                                      SHA256:abc0b5e65132918208e06122ecfe2172c468494da7b0e48cc40f8475138153b2
                                                      SHA512:8e46786a5d3b5356360656c12e420ef0147e881a123161ec2f5f1d187cceb06ff62908a775ee3905ddce7bf85891407371f8a05d19423a2a57ffa3830c9b9f74
                                                      SSDEEP:3072:oXeICe+2LbgMBGKznc9qz/yoj7wzBt56g4JEJ2WTi5l/N2Ft1vbR:ouICe+2HGKfzD72MmJ2T8
                                                      TLSH:2224F6BE29BEC4A1C8B2D1BCD950230973671501DBD561A97B4BBAE7DC10B18DC0A6F3
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZA................0......6.......7... ...@....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:13d1421995c6490d

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x43371e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x827F415A [Thu May 19 00:31:22 2039 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x336c40x57.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x33c0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x380000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x317240x3180007f92ae98cb8656968431817d49f1558False0.6829427083333334data7.7580330271790805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x340000x33c00x34002ff4d91a063ab2b90dd010ec1dc98153False0.9199969951923077data7.698405552990344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x380000xc0x2006f6bb9996e1bcbc53f04faf30c5d7cb1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x341300x2d91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9799399914273468
                                                      RT_GROUP_ICON0x36ec40x14data0.95
                                                      RT_VERSION0x36ed80x2fcdata0.43324607329842935
                                                      RT_MANIFEST0x371d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-01-08T15:06:55.926592+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549706193.122.130.080TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 8, 2025 15:06:54.675913095 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:06:54.680751085 CET8049706193.122.130.0192.168.2.5
                                                      Jan 8, 2025 15:06:54.680830956 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:06:54.681088924 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:06:54.685848951 CET8049706193.122.130.0192.168.2.5
                                                      Jan 8, 2025 15:06:55.759831905 CET8049706193.122.130.0192.168.2.5
                                                      Jan 8, 2025 15:06:55.764403105 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:06:55.770030022 CET8049706193.122.130.0192.168.2.5
                                                      Jan 8, 2025 15:06:55.872154951 CET8049706193.122.130.0192.168.2.5
                                                      Jan 8, 2025 15:06:55.926592112 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:06:55.949418068 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:55.949461937 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:55.949531078 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:55.964194059 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:55.964215994 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.441695929 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.441772938 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:56.452023983 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:56.452040911 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.452308893 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.504714012 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:56.612015009 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:56.659339905 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.741065025 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.741139889 CET44349707188.114.96.3192.168.2.5
                                                      Jan 8, 2025 15:06:56.741194963 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:06:56.762959003 CET49707443192.168.2.5188.114.96.3
                                                      Jan 8, 2025 15:08:00.871969938 CET8049706193.122.130.0192.168.2.5
                                                      Jan 8, 2025 15:08:00.874169111 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:08:35.912311077 CET4970680192.168.2.5193.122.130.0
                                                      Jan 8, 2025 15:08:35.917097092 CET8049706193.122.130.0192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 8, 2025 15:06:54.629326105 CET5275953192.168.2.51.1.1.1
                                                      Jan 8, 2025 15:06:54.636745930 CET53527591.1.1.1192.168.2.5
                                                      Jan 8, 2025 15:06:55.940387964 CET4941053192.168.2.51.1.1.1
                                                      Jan 8, 2025 15:06:55.947336912 CET53494101.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 8, 2025 15:06:54.629326105 CET192.168.2.51.1.1.10xca08Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:55.940387964 CET192.168.2.51.1.1.10xdd65Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 8, 2025 15:06:54.636745930 CET1.1.1.1192.168.2.50xca08No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                      Jan 8, 2025 15:06:54.636745930 CET1.1.1.1192.168.2.50xca08No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:54.636745930 CET1.1.1.1192.168.2.50xca08No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:54.636745930 CET1.1.1.1192.168.2.50xca08No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:54.636745930 CET1.1.1.1192.168.2.50xca08No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:54.636745930 CET1.1.1.1192.168.2.50xca08No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:55.947336912 CET1.1.1.1192.168.2.50xdd65No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 15:06:55.947336912 CET1.1.1.1192.168.2.50xdd65No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • reallyfreegeoip.org
                                                      • checkip.dyndns.org

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549706193.122.130.0807164C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 8, 2025 15:06:54.681088924 CET151OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Connection: Keep-Alive
                                                      Jan 8, 2025 15:06:55.759831905 CET321INHTTP/1.1 200 OK
                                                      Date: Wed, 08 Jan 2025 14:06:55 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 104
                                                      Connection: keep-alive
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      X-Request-ID: 7cc2f9806819e8f7e0ebfc9768fdb49a
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                      Jan 8, 2025 15:06:55.764403105 CET127OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Jan 8, 2025 15:06:55.872154951 CET321INHTTP/1.1 200 OK
                                                      Date: Wed, 08 Jan 2025 14:06:55 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 104
                                                      Connection: keep-alive
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      X-Request-ID: 3aa141aa54d13955a1201f253b123aa1
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549707188.114.96.34437164C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-08 14:06:56 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                      Host: reallyfreegeoip.org
                                                      Connection: Keep-Alive
                                                      2025-01-08 14:06:56 UTC857INHTTP/1.1 200 OK
                                                      Date: Wed, 08 Jan 2025 14:06:56 GMT
                                                      Content-Type: text/xml
                                                      Content-Length: 362
                                                      Connection: close
                                                      Age: 1660005
                                                      Cache-Control: max-age=31536000
                                                      cf-cache-status: HIT
                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hwGdkmH5QrPcQRHbk74qJNhwMN9f8tcnoZ93Is0kOyBN75MZ2sAt571jrw7HWdwFDMzj3ErF51Wz1B%2FKleddQd62GcXdqnhJ7mgmJoY%2BtwCr0go%2FqVy5u76dWi4%2FLEauxmbPYggp"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8fecc0442bc48c5d-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2062&min_rtt=2045&rtt_var=801&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1337608&cwnd=211&unsent_bytes=0&cid=2c72af02349a2362&ts=304&x=0"
                                                      2025-01-08 14:06:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:09:06:53
                                                      Start date:08/01/2025
                                                      Path:C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe"
                                                      Imagebase:0xaa0000
                                                      File size:217'088 bytes
                                                      MD5 hash:EA999998326F1B7061DFCF2DEF8E1D1B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2010490156.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:09:06:53
                                                      Start date:08/01/2025
                                                      Path:C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\VSLS SCHEDULE_pdf.exe"
                                                      Imagebase:0x140000
                                                      File size:217'088 bytes
                                                      MD5 hash:EA999998326F1B7061DFCF2DEF8E1D1B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3242226374.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3243663897.0000000002834000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:11%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:99
                                                        Total number of Limit Nodes:7
                                                        execution_graph 17164 144d540 17165 144d586 17164->17165 17169 144d720 17165->17169 17172 144d710 17165->17172 17166 144d673 17176 144d2f8 17169->17176 17173 144d720 17172->17173 17174 144d2f8 DuplicateHandle 17173->17174 17175 144d74e 17174->17175 17175->17166 17177 144d788 DuplicateHandle 17176->17177 17178 144d74e 17177->17178 17178->17166 17260 144b1b0 17261 144b1bf 17260->17261 17263 144b298 17260->17263 17264 144b2dc 17263->17264 17265 144b2b9 17263->17265 17264->17261 17265->17264 17266 144b4e0 GetModuleHandleW 17265->17266 17267 144b50d 17266->17267 17267->17261 17268 9150d80 17269 9150d8a 17268->17269 17270 9150db1 17269->17270 17273 91510b0 17269->17273 17278 91510a0 17269->17278 17274 91510bb 17273->17274 17275 91510cb 17274->17275 17283 9151502 OleInitialize 17274->17283 17285 9151508 OleInitialize 17274->17285 17275->17270 17279 91510bb 17278->17279 17280 91510cb 17279->17280 17281 9151502 OleInitialize 17279->17281 17282 9151508 OleInitialize 17279->17282 17280->17270 17281->17280 17282->17280 17284 915156c 17283->17284 17284->17275 17286 915156c 17285->17286 17286->17275 17287 91521a0 17288 91521e4 17287->17288 17289 91521ee EnumThreadWindows 17287->17289 17288->17289 17290 9152220 17289->17290 17179 1444668 17180 144467a 17179->17180 17181 1444686 17180->17181 17185 1444778 17180->17185 17190 1443e1c 17181->17190 17183 14446a5 17186 144479d 17185->17186 17194 1444878 17186->17194 17198 1444888 17186->17198 17191 1443e27 17190->17191 17206 1445cec 17191->17206 17193 14472f8 17193->17183 17196 1444888 17194->17196 17195 144498c 17195->17195 17196->17195 17202 144449c 17196->17202 17200 14448af 17198->17200 17199 144498c 17199->17199 17200->17199 17201 144449c CreateActCtxA 17200->17201 17201->17199 17203 1445918 CreateActCtxA 17202->17203 17205 14459db 17203->17205 17207 1445cf7 17206->17207 17210 1445d0c 17207->17210 17209 144739d 17209->17193 17211 1445d17 17210->17211 17214 1445d3c 17211->17214 17213 144747a 17213->17209 17215 1445d47 17214->17215 17218 1445d6c 17215->17218 17217 144756d 17217->17213 17219 1445d77 17218->17219 17220 1448b09 17219->17220 17223 144ce60 17219->17223 17228 144ce70 17219->17228 17220->17217 17224 144ce70 17223->17224 17225 144ceb5 17224->17225 17233 144d418 17224->17233 17237 144d428 17224->17237 17225->17220 17230 144ce91 17228->17230 17229 144ceb5 17229->17220 17230->17229 17231 144d418 2 API calls 17230->17231 17232 144d428 2 API calls 17230->17232 17231->17229 17232->17229 17235 144d435 17233->17235 17234 144d46f 17234->17225 17235->17234 17241 144d230 17235->17241 17238 144d435 17237->17238 17239 144d46f 17238->17239 17240 144d230 2 API calls 17238->17240 17239->17225 17240->17239 17242 144d23b 17241->17242 17244 144dd80 17242->17244 17245 144d35c 17242->17245 17244->17244 17246 144d367 17245->17246 17247 1445d6c 2 API calls 17246->17247 17248 144ddef 17247->17248 17249 144ddfe 17248->17249 17252 144e270 17248->17252 17256 144e238 17248->17256 17249->17244 17253 144e29e 17252->17253 17254 144e36a KiUserCallbackDispatcher 17253->17254 17255 144e36f 17253->17255 17254->17255 17257 144e23d 17256->17257 17258 144e36a KiUserCallbackDispatcher 17257->17258 17259 144e36f 17257->17259 17258->17259

                                                        Executed Functions

                                                        Function 09151720 Relevance: .4, Instructions: 396COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2012526791.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9150000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e98034ee1341e7f3cfdfd4447bd50d4fcf806e86be8ea9ad45a3596c0486680a
                                                        • Instruction ID: f4c0527f60cb536ab086b1fc92b12ee4d2e98be9c96fd23e9642c63536f597a7
                                                        • Opcode Fuzzy Hash: e98034ee1341e7f3cfdfd4447bd50d4fcf806e86be8ea9ad45a3596c0486680a
                                                        • Instruction Fuzzy Hash: F8F15E30E04209DFDB15DFA9C984BADBBF1FF44308F168558E82AAB255DB71E945CB80
                                                        Function 0144B298 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 342 144b298-144b2b7 343 144b2e3-144b2e7 342->343 344 144b2b9-144b2c6 call 144af38 342->344 345 144b2e9-144b2f3 343->345 346 144b2fb-144b33c 343->346 351 144b2dc 344->351 352 144b2c8 344->352 345->346 353 144b33e-144b346 346->353 354 144b349-144b357 346->354 351->343 398 144b2ce call 144b540 352->398 399 144b2ce call 144b532 352->399 353->354 355 144b359-144b35e 354->355 356 144b37b-144b37d 354->356 360 144b360-144b367 call 144af44 355->360 361 144b369 355->361 359 144b380-144b387 356->359 357 144b2d4-144b2d6 357->351 358 144b418-144b4d8 357->358 393 144b4e0-144b50b GetModuleHandleW 358->393 394 144b4da-144b4dd 358->394 363 144b394-144b39b 359->363 364 144b389-144b391 359->364 362 144b36b-144b379 360->362 361->362 362->359 366 144b39d-144b3a5 363->366 367 144b3a8-144b3b1 call 144af54 363->367 364->363 366->367 373 144b3b3-144b3bb 367->373 374 144b3be-144b3c3 367->374 373->374 375 144b3c5-144b3cc 374->375 376 144b3e1-144b3ee 374->376 375->376 378 144b3ce-144b3de call 144af64 call 144af74 375->378 382 144b3f0-144b40e 376->382 383 144b411-144b417 376->383 378->376 382->383 395 144b514-144b528 393->395 396 144b50d-144b513 393->396 394->393 396->395 398->357 399->357
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0144B4FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 2ca74bb7e8ec61aebdd12c17a7974ec56a502ae8e864699b5151dae3cf07dc0e
                                                        • Instruction ID: 5daddba75e3e6352c916f702bdeb2adfb28dfaf38a080f8916f1c31f2a465caf
                                                        • Opcode Fuzzy Hash: 2ca74bb7e8ec61aebdd12c17a7974ec56a502ae8e864699b5151dae3cf07dc0e
                                                        • Instruction Fuzzy Hash: BF812270A00B458FEB24DF2AD45479ABBF1FF88204F10892ED48ADBB60D735E945CB90
                                                        Function 0144449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 400 144449c-14459d9 CreateActCtxA 403 14459e2-1445a3c 400->403 404 14459db-14459e1 400->404 411 1445a3e-1445a41 403->411 412 1445a4b-1445a4f 403->412 404->403 411->412 413 1445a60 412->413 414 1445a51-1445a5d 412->414 416 1445a61 413->416 414->413 416->416
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 014459C9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 4e045ed8695c2b2370c7885c47037f564589e1c5064a5947a785581acc552464
                                                        • Instruction ID: 961563ed53641a05bc7850d1c8010391939872df61a11683252d67f6dba64636
                                                        • Opcode Fuzzy Hash: 4e045ed8695c2b2370c7885c47037f564589e1c5064a5947a785581acc552464
                                                        • Instruction Fuzzy Hash: 7141D3B0C00719CBDB24DFA9C88479EBBF5BF45304F20806AD409AB255DB755945CF91
                                                        Function 0144590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 417 144590c-1445914 418 144591c-14459d9 CreateActCtxA 417->418 420 14459e2-1445a3c 418->420 421 14459db-14459e1 418->421 428 1445a3e-1445a41 420->428 429 1445a4b-1445a4f 420->429 421->420 428->429 430 1445a60 429->430 431 1445a51-1445a5d 429->431 433 1445a61 430->433 431->430 433->433
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 014459C9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: fe2bf726add9a7180108642335ea194334bf6642cee41d6c865140db349fcbf5
                                                        • Instruction ID: 103c4695a419a8a38e3ab78933c99b3aeaaac5bb5ef256b52f2cb30292efe773
                                                        • Opcode Fuzzy Hash: fe2bf726add9a7180108642335ea194334bf6642cee41d6c865140db349fcbf5
                                                        • Instruction Fuzzy Hash: 4E41D0B0C00719CBEB24DFA9C884BDEBBB5BF49304F20806AD419AB264DB755946CF91
                                                        Function 0144D2F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 434 144d2f8-144d81c DuplicateHandle 436 144d825-144d842 434->436 437 144d81e-144d824 434->437 437->436
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D74E,?,?,?,?,?), ref: 0144D80F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: a1ea7862ee0d56dbf91147772665f0e6f3de5bcd0ae2882dbaf20f6ef7450a23
                                                        • Instruction ID: c1b27fe446e4fe7f569ef1beef806765457591626db9092383f9e05bb7b3d7ea
                                                        • Opcode Fuzzy Hash: a1ea7862ee0d56dbf91147772665f0e6f3de5bcd0ae2882dbaf20f6ef7450a23
                                                        • Instruction Fuzzy Hash: 8821E7B5D002489FDB10CF99D584AEEBFF4FB48310F14842AE918A3350D378A944CFA0
                                                        Function 09152198 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 445 9152198-91521e2 446 91521e4-91521ec 445->446 447 91521ee-915221e EnumThreadWindows 445->447 446->447 448 9152227-9152254 447->448 449 9152220-9152226 447->449 449->448
                                                        APIs
                                                        • EnumThreadWindows.USER32(?,00000000,?), ref: 09152211
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2012526791.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9150000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: EnumThreadWindows
                                                        • String ID:
                                                        • API String ID: 2941952884-0
                                                        • Opcode ID: f80f1a7b613832643bf6da16e99bb1365c63528457b5c7c15487a9f53e92f33f
                                                        • Instruction ID: 107674fc454c7cc8ac05aff699d0f194b3d1f60095de4119e1bd6cdd794754be
                                                        • Opcode Fuzzy Hash: f80f1a7b613832643bf6da16e99bb1365c63528457b5c7c15487a9f53e92f33f
                                                        • Instruction Fuzzy Hash: D42114B5D002098FDB14CFA9C844BEEBBF5EB88314F10842AD969A7250C778A941CFA1
                                                        Function 0144D780 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 440 144d780-144d81c DuplicateHandle 441 144d825-144d842 440->441 442 144d81e-144d824 440->442 442->441
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D74E,?,?,?,?,?), ref: 0144D80F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 87712242e258af6907ec2e552d9a01a730836040fa66ddf59954267e2201ae1f
                                                        • Instruction ID: 334cf6bdfa6bf0116d850d4697561a0bd2dfdef3c4b9fe23d04a821c27982ee7
                                                        • Opcode Fuzzy Hash: 87712242e258af6907ec2e552d9a01a730836040fa66ddf59954267e2201ae1f
                                                        • Instruction Fuzzy Hash: 5B21B3B5D002489FEB10CF99D984AEEBBF5FB48324F14845AE918A3350D378A944CFA1
                                                        Function 091521A0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 453 91521a0-91521e2 454 91521e4-91521ec 453->454 455 91521ee-915221e EnumThreadWindows 453->455 454->455 456 9152227-9152254 455->456 457 9152220-9152226 455->457 457->456
                                                        APIs
                                                        • EnumThreadWindows.USER32(?,00000000,?), ref: 09152211
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2012526791.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9150000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: EnumThreadWindows
                                                        • String ID:
                                                        • API String ID: 2941952884-0
                                                        • Opcode ID: 5f85629de0d5bb66087df6c710d53e192d69b127924ba2f28474821d849603b3
                                                        • Instruction ID: 2084fbd3e4e1e112df87ec1cb11dd8cd509dd2206aecb7b31edb5e3a6cc00414
                                                        • Opcode Fuzzy Hash: 5f85629de0d5bb66087df6c710d53e192d69b127924ba2f28474821d849603b3
                                                        • Instruction Fuzzy Hash: 762127B5D002098FDB14DF9AC844BEEFBF5FB88324F14842AD469A3250D778A945CFA5
                                                        Function 0144B498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 461 144b498-144b4d8 462 144b4e0-144b50b GetModuleHandleW 461->462 463 144b4da-144b4dd 461->463 464 144b514-144b528 462->464 465 144b50d-144b513 462->465 463->462 465->464
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0144B4FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: cb636975b80e3d84c0a954428a3a92c5b7ef35a9dabcb9ff5119833ec9e384cd
                                                        • Instruction ID: 76652912a724baec8612b6df3e7a5ea5f0855e78eeb6d29ac73a0099b886fecd
                                                        • Opcode Fuzzy Hash: cb636975b80e3d84c0a954428a3a92c5b7ef35a9dabcb9ff5119833ec9e384cd
                                                        • Instruction Fuzzy Hash: 0811E0B5C006498FEB10DFAAD844ADEFBF4EF88314F14842AD529A7710D379A645CFA1
                                                        Function 09151502 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 467 9151502-915156a OleInitialize 468 9151573-9151590 467->468 469 915156c-9151572 467->469 469->468
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2012526791.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9150000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 6682a5ae3e3911a7ca4d2f1d45071289acd0fabdfbf44d7748101dd7af42f7a7
                                                        • Instruction ID: ad8c52309b2a24f2d372cfbe2d2a69f223a50c1c15cfa16cfc133b2dab04c247
                                                        • Opcode Fuzzy Hash: 6682a5ae3e3911a7ca4d2f1d45071289acd0fabdfbf44d7748101dd7af42f7a7
                                                        • Instruction Fuzzy Hash: 4C1142B0D04248CFDB20DFAAD548BEEBFF5EB49324F24845AD519A3210C379A640CFA0
                                                        Function 09151508 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 472 9151508-915156a OleInitialize 473 9151573-9151590 472->473 474 915156c-9151572 472->474 474->473
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2012526791.0000000009150000.00000040.00000800.00020000.00000000.sdmp, Offset: 09150000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9150000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 9abea6e64c813e4a8b22c43c48e8e04dca2be80b9f5050b6a6c8232edfe9eca8
                                                        • Instruction ID: 41d51b702909e83ade62a9cdb1171d764e23264c4723a5dd906105c2732a7b68
                                                        • Opcode Fuzzy Hash: 9abea6e64c813e4a8b22c43c48e8e04dca2be80b9f5050b6a6c8232edfe9eca8
                                                        • Instruction Fuzzy Hash: 821112B1D042488FDB20DF9AD544B9EBBF8EB48324F20841AD519A3200C378A644CFA5
                                                        Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2009854544.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_12ad000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 51f328b8ea069a6685c16dd6b3326f9054a8cb85c90e775f10d91f2d04fd2c14
                                                        • Instruction ID: e1cba67611fdcf878388a8f8c64e2e3a82eed47d2918e6634d0c32d516fa2097
                                                        • Opcode Fuzzy Hash: 51f328b8ea069a6685c16dd6b3326f9054a8cb85c90e775f10d91f2d04fd2c14
                                                        • Instruction Fuzzy Hash: 12214270294208DFCB15CF68D980B22BF65FB88314F60C56DDA0A0B656C37AD407CA61
                                                        Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2009854544.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_12ad000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d09639082974e5a2953d3a1c152fb9c0ed93a2755cc700b14b723c9155de40e1
                                                        • Instruction ID: 8eb21d45d12f511caf1788be9aaa38482a261162f43933a735e7a290b6e6a84d
                                                        • Opcode Fuzzy Hash: d09639082974e5a2953d3a1c152fb9c0ed93a2755cc700b14b723c9155de40e1
                                                        • Instruction Fuzzy Hash: 7921B0714483849FCB03CF24D994711BF71EB4A314F28C5DAD9898F6A7C33A980ACB62

                                                        Non-executed Functions

                                                        Function 0144E084 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2010038760.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1440000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 93279baadb220f5853a8e31e43c3b2b8d322f8973fa26ea29f18981b373bc146
                                                        • Instruction ID: a4cb741c4e49a980da1aa947427199d2df76707839c2a0101fe6e43ef20a2e73
                                                        • Opcode Fuzzy Hash: 93279baadb220f5853a8e31e43c3b2b8d322f8973fa26ea29f18981b373bc146
                                                        • Instruction Fuzzy Hash: 84A18C32E0021A8FEF15DFB9C84059EBBB2FF95300B14456AE905BB365DB35E919CB40

                                                        Execution Graph

                                                        Execution Coverage:13.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:22.5%
                                                        Total number of Nodes:40
                                                        Total number of Limit Nodes:2
                                                        execution_graph 17541 df46d8 17542 df46e4 17541->17542 17545 df48c9 17542->17545 17543 df4713 17546 df48e4 17545->17546 17553 df4ef8 17546->17553 17558 df4f08 17546->17558 17547 df48f0 17563 11c15f8 17547->17563 17568 11c15ea 17547->17568 17548 df491a 17548->17543 17554 df4f08 17553->17554 17555 df4ff6 17554->17555 17573 dfc76c 17554->17573 17579 dfc168 17554->17579 17555->17547 17559 df4f2a 17558->17559 17560 df4ff6 17559->17560 17561 dfc76c 2 API calls 17559->17561 17562 dfc168 LdrInitializeThunk 17559->17562 17560->17547 17561->17560 17562->17560 17564 11c161a 17563->17564 17565 11c172c 17564->17565 17566 dfc76c 2 API calls 17564->17566 17567 dfc168 LdrInitializeThunk 17564->17567 17565->17548 17566->17565 17567->17565 17569 11c15f8 17568->17569 17570 11c172c 17569->17570 17571 dfc76c 2 API calls 17569->17571 17572 dfc168 LdrInitializeThunk 17569->17572 17570->17548 17571->17570 17572->17570 17578 dfc623 17573->17578 17574 dfc764 LdrInitializeThunk 17576 dfc8c1 17574->17576 17576->17555 17577 dfc168 LdrInitializeThunk 17577->17578 17578->17574 17578->17577 17580 dfc17a 17579->17580 17582 dfc17f 17579->17582 17580->17555 17581 dfc8a9 LdrInitializeThunk 17581->17580 17582->17580 17582->17581 17583 dfcab0 17585 dfcadd 17583->17585 17584 dfe9bf 17585->17584 17586 dfc168 LdrInitializeThunk 17585->17586 17588 dfcde6 17585->17588 17586->17588 17587 dfc168 LdrInitializeThunk 17587->17588 17588->17584 17588->17587

                                                        Executed Functions

                                                        Function 011C7780 Relevance: 12.2, Strings: 9, Instructions: 920COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                                        • API String ID: 0-99275883
                                                        • Opcode ID: 8c6ffc4ec038d0518093b68f8607c99b82f7c9a0fff07f66f648379e44deae95
                                                        • Instruction ID: bdb08d31305e602eeb0631ecb653f8ea5d8f68fcb60dd595bc3b1185b72488e0
                                                        • Opcode Fuzzy Hash: 8c6ffc4ec038d0518093b68f8607c99b82f7c9a0fff07f66f648379e44deae95
                                                        • Instruction Fuzzy Hash: 01828A30A0060ADFCB19CF68C984AAEBBF2FF99710F158569E5459B2A2C770ED41CF51
                                                        Function 011C6A20 Relevance: 9.7, Strings: 7, Instructions: 920COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (o]q$(o]q$(o]q$(o]q$,aq$,aq$Haq
                                                        • API String ID: 0-105717579
                                                        • Opcode ID: 580805dccf68e77e41ff5f0ebbe94ebeb50c61008b7a129a369f204428a4d3e2
                                                        • Instruction ID: 0cdc12735acebae146422e6568e0e1b8410583ba217f9241dfeacb39183c9c64
                                                        • Opcode Fuzzy Hash: 580805dccf68e77e41ff5f0ebbe94ebeb50c61008b7a129a369f204428a4d3e2
                                                        • Instruction Fuzzy Hash: 71728D70A002198FCB19DF69C884AAEBBF6BF98700F158469E815AB3A5DB70DD41CF51
                                                        Function 011C1C58 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2397 11c1c58-11c1c80 2398 11c1c87-11c1d2b 2397->2398 2399 11c1c82 2397->2399 2403 11c1d2d-11c1d34 2398->2403 2404 11c1d39-11c1d8a 2398->2404 2399->2398 2405 11c1f94-11c1fb2 2403->2405 2412 11c1e5c 2404->2412 2413 11c1e65-11c1e73 2412->2413 2414 11c1d8f-11c1dbc 2413->2414 2415 11c1e79-11c1e9e 2413->2415 2422 11c1ddd 2414->2422 2423 11c1dbe-11c1dc7 2414->2423 2420 11c1eb6 2415->2420 2421 11c1ea0-11c1eb5 2415->2421 2420->2405 2421->2420 2426 11c1de0-11c1e01 2422->2426 2424 11c1dce-11c1dd1 2423->2424 2425 11c1dc9-11c1dcc 2423->2425 2428 11c1ddb 2424->2428 2425->2428 2431 11c1e5a-11c1e5b 2426->2431 2432 11c1e03-11c1e59 2426->2432 2428->2426 2431->2412 2432->2431
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PH]q$PH]q
                                                        • API String ID: 0-1166926398
                                                        • Opcode ID: 805be0e561d99ff41775f1d174a7cdb6a7143f85ce58c81253580795d0a0ce8b
                                                        • Instruction ID: 7073c4a2c4a554769e88163570d4ecc904302aa078ecddd048c373bde5a1457a
                                                        • Opcode Fuzzy Hash: 805be0e561d99ff41775f1d174a7cdb6a7143f85ce58c81253580795d0a0ce8b
                                                        • Instruction Fuzzy Hash: 8481CE74E00218DFDB58DFAAD994BADBBF2BF89300F20806AD419AB355DB345946CF50
                                                        Function 00DFC168 Relevance: 2.0, APIs: 1, Instructions: 532COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2499 dfc168-dfc178 2500 dfc17f-dfc18b 2499->2500 2501 dfc17a 2499->2501 2504 dfc18d 2500->2504 2505 dfc192-dfc1a7 2500->2505 2502 dfc2ab-dfc2b5 2501->2502 2504->2502 2508 dfc1ad-dfc1b8 2505->2508 2509 dfc2bb-dfc2fb call df5d08 2505->2509 2512 dfc1be-dfc1c5 2508->2512 2513 dfc2b6 2508->2513 2525 dfc302-dfc378 call df5d08 call df5c00 2509->2525 2514 dfc1c7-dfc1de 2512->2514 2515 dfc1f2-dfc1fd 2512->2515 2513->2509 2524 dfc1e4-dfc1e7 2514->2524 2514->2525 2520 dfc1ff-dfc207 2515->2520 2521 dfc20a-dfc214 2515->2521 2520->2521 2531 dfc29e-dfc2a3 2521->2531 2532 dfc21a-dfc224 2521->2532 2524->2513 2529 dfc1ed-dfc1f0 2524->2529 2559 dfc3df-dfc454 call df5ca8 2525->2559 2560 dfc37a-dfc3b7 2525->2560 2529->2514 2529->2515 2531->2502 2532->2513 2537 dfc22a-dfc246 2532->2537 2542 dfc24a-dfc24d 2537->2542 2543 dfc248 2537->2543 2544 dfc24f-dfc252 2542->2544 2545 dfc254-dfc257 2542->2545 2543->2502 2548 dfc25a-dfc268 2544->2548 2545->2548 2548->2513 2553 dfc26a-dfc271 2548->2553 2553->2502 2554 dfc273-dfc279 2553->2554 2554->2513 2556 dfc27b-dfc280 2554->2556 2556->2513 2557 dfc282-dfc295 2556->2557 2557->2513 2562 dfc297-dfc29a 2557->2562 2568 dfc4f3-dfc4f9 2559->2568 2563 dfc3be-dfc3dc 2560->2563 2564 dfc3b9 2560->2564 2562->2554 2566 dfc29c 2562->2566 2563->2559 2564->2563 2566->2502 2569 dfc4ff-dfc517 2568->2569 2570 dfc459-dfc46c 2568->2570 2571 dfc52b-dfc53e 2569->2571 2572 dfc519-dfc526 2569->2572 2573 dfc46e 2570->2573 2574 dfc473-dfc4c4 2570->2574 2576 dfc545-dfc561 2571->2576 2577 dfc540 2571->2577 2575 dfc8c1-dfc9bf 2572->2575 2573->2574 2591 dfc4d7-dfc4e9 2574->2591 2592 dfc4c6-dfc4d4 2574->2592 2582 dfc9c7-dfc9d1 2575->2582 2583 dfc9c1-dfc9c6 call df5ca8 2575->2583 2579 dfc568-dfc58c 2576->2579 2580 dfc563 2576->2580 2577->2576 2587 dfc58e 2579->2587 2588 dfc593-dfc5c5 2579->2588 2580->2579 2583->2582 2587->2588 2597 dfc5cc-dfc60e 2588->2597 2598 dfc5c7 2588->2598 2594 dfc4eb 2591->2594 2595 dfc4f0 2591->2595 2592->2569 2594->2595 2595->2568 2600 dfc615-dfc61e 2597->2600 2601 dfc610 2597->2601 2598->2597 2602 dfc846-dfc84c 2600->2602 2601->2600 2603 dfc623-dfc648 2602->2603 2604 dfc852-dfc865 2602->2604 2605 dfc64f-dfc686 2603->2605 2606 dfc64a 2603->2606 2607 dfc86c-dfc887 2604->2607 2608 dfc867 2604->2608 2616 dfc68d-dfc6bf 2605->2616 2617 dfc688 2605->2617 2606->2605 2609 dfc88e-dfc8a2 2607->2609 2610 dfc889 2607->2610 2608->2607 2614 dfc8a9-dfc8bf LdrInitializeThunk 2609->2614 2615 dfc8a4 2609->2615 2610->2609 2614->2575 2615->2614 2619 dfc723-dfc736 2616->2619 2620 dfc6c1-dfc6e6 2616->2620 2617->2616 2623 dfc73d-dfc762 2619->2623 2624 dfc738 2619->2624 2621 dfc6ed-dfc71b 2620->2621 2622 dfc6e8 2620->2622 2621->2619 2622->2621 2627 dfc764-dfc765 2623->2627 2628 dfc771-dfc7a9 2623->2628 2624->2623 2627->2604 2629 dfc7ab 2628->2629 2630 dfc7b0-dfc811 call dfc168 2628->2630 2629->2630 2636 dfc818-dfc83c 2630->2636 2637 dfc813 2630->2637 2640 dfc83e 2636->2640 2641 dfc843 2636->2641 2637->2636 2640->2641 2641->2602
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243055121.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_df0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46968c1943f2d5bd65d6eadd2fd3fbb4d48f4ca41c0014e0c3d241f756332af2
                                                        • Instruction ID: 47ebccf13ef92f3320447d0cd2908e6370547d8066bcafc526354e302ce1f733
                                                        • Opcode Fuzzy Hash: 46968c1943f2d5bd65d6eadd2fd3fbb4d48f4ca41c0014e0c3d241f756332af2
                                                        • Instruction Fuzzy Hash: 79221570E1021D8FDB14DFA8C984BADBBB2BF88300F1595A9D509AB355DB31AD85CF60
                                                        Function 011C4500 Relevance: .7, Instructions: 745COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bfa897f59836becf015b1cae919e93dffec2ca18fb6a696f8bf36ae80e263c21
                                                        • Instruction ID: d6a10d92ebb00fdb15a8ddb285ad76a00856130a56f981e07840c2c9564c707a
                                                        • Opcode Fuzzy Hash: bfa897f59836becf015b1cae919e93dffec2ca18fb6a696f8bf36ae80e263c21
                                                        • Instruction Fuzzy Hash: CF828C74E012288FDB69DF69CD94BDDBBB2BB89300F1481E9940DA7265DB305E85CF50
                                                        Function 011C15F8 Relevance: .3, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 136531648b18c3e91cf7006de5f1202fbfa44915a9540d97a91ebd88eae44877
                                                        • Instruction ID: daaebfde4e24d12b133b78f76069bef3d5f004ed22f55315386e5642a911179a
                                                        • Opcode Fuzzy Hash: 136531648b18c3e91cf7006de5f1202fbfa44915a9540d97a91ebd88eae44877
                                                        • Instruction Fuzzy Hash: EBE1D374E01218CFEB24DFA5D954B9DBBB2FF89300F2080A9D408AB395DB755A85CF25
                                                        Function 00DF4F08 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243055121.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_df0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a12ecd96246bbbe5c18c5fa8ecea2bb485410c5ac929c4d984a46afcf7903a1d
                                                        • Instruction ID: ea35d4c4bdaba007ba969be786680cc92713940d3d008f5f6464c9d8e81e2011
                                                        • Opcode Fuzzy Hash: a12ecd96246bbbe5c18c5fa8ecea2bb485410c5ac929c4d984a46afcf7903a1d
                                                        • Instruction Fuzzy Hash: 2DC1B274E00218CFDB19DFA5D954B9DBBB2BF88300F2081A9D809AB359DB759E85CF50
                                                        Function 00DF5367 Relevance: .2, Instructions: 220COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243055121.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_df0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9330b28eeaf77d08202a49ff54268b53aa3f16e91e4ed6437d3c974c4a7f940e
                                                        • Instruction ID: 49723213efb7fc1fc9123807a168a9faade23ab50932ac66550b7b4808cedbe7
                                                        • Opcode Fuzzy Hash: 9330b28eeaf77d08202a49ff54268b53aa3f16e91e4ed6437d3c974c4a7f940e
                                                        • Instruction Fuzzy Hash: 1EA10470D00608CFDB24DFA8D548BEDBBB1FF89301F248269E519A72A5DB749985CF60
                                                        Function 00DF56AF Relevance: .2, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243055121.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_df0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37c7867a4a9071ece0414863234459345d0b17457fd56420f92ee5e07ed5ca9d
                                                        • Instruction ID: b48bc7505805b2e7c579cc90fe5389e5cf8d6c25f54aeb258a1053788070019b
                                                        • Opcode Fuzzy Hash: 37c7867a4a9071ece0414863234459345d0b17457fd56420f92ee5e07ed5ca9d
                                                        • Instruction Fuzzy Hash: 79912470D00608CFDB14DFA8D588BECBBB1FF49301F2482A9E119AB295DB709984CF60
                                                        Function 011C15EA Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f2551df97ac7a5f38bad938bc0db9d3f6cc7d48d0be62fd9b92a6af5c79fb5cf
                                                        • Instruction ID: 6366f491efa48fd82be8571e309d44eaff2711ea12a0cf9f9ed4c23421ea52c3
                                                        • Opcode Fuzzy Hash: f2551df97ac7a5f38bad938bc0db9d3f6cc7d48d0be62fd9b92a6af5c79fb5cf
                                                        • Instruction Fuzzy Hash: 4241E2B1D00608CBEB18DFAAC84479DBBF2BF89304F14C069D518BB295DB355946CF64
                                                        Function 011C8848 Relevance: 4.6, Strings: 3, Instructions: 824COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 848 11c8848-11c8d36 923 11c8d3c-11c8d4c 848->923 924 11c9288-11c92bd 848->924 923->924 925 11c8d52-11c8d62 923->925 929 11c92bf-11c92c4 924->929 930 11c92c9-11c92e7 924->930 925->924 926 11c8d68-11c8d78 925->926 926->924 928 11c8d7e-11c8d8e 926->928 928->924 931 11c8d94-11c8da4 928->931 932 11c93ae-11c93b3 929->932 942 11c935e-11c936a 930->942 943 11c92e9-11c92f3 930->943 931->924 933 11c8daa-11c8dba 931->933 933->924 935 11c8dc0-11c8dd0 933->935 935->924 936 11c8dd6-11c8de6 935->936 936->924 938 11c8dec-11c8dfc 936->938 938->924 939 11c8e02-11c8e12 938->939 939->924 941 11c8e18-11c9287 939->941 948 11c936c-11c9378 942->948 949 11c9381-11c938d 942->949 943->942 947 11c92f5-11c9301 943->947 955 11c9326-11c9329 947->955 956 11c9303-11c930e 947->956 948->949 957 11c937a-11c937f 948->957 958 11c938f-11c939b 949->958 959 11c93a4-11c93a6 949->959 960 11c932b-11c9337 955->960 961 11c9340-11c934c 955->961 956->955 968 11c9310-11c931a 956->968 957->932 958->959 970 11c939d-11c93a2 958->970 959->932 960->961 973 11c9339-11c933e 960->973 962 11c934e-11c9355 961->962 963 11c93b4-11c93c4 961->963 962->963 967 11c9357-11c935c 962->967 974 11c9416-11c941d 963->974 975 11c93c6-11c9410 963->975 967->932 968->955 978 11c931c-11c9321 968->978 970->932 973->932 979 11c94a6-11c94f8 974->979 980 11c9423-11c942e 974->980 975->980 989 11c9412 975->989 978->932 985 11c94ff-11c9544 call 11c82c0 979->985 980->985 986 11c9434-11c9491 980->986 1008 11c9555-11c9563 985->1008 1009 11c9546-11c9553 985->1009 997 11c949a-11c94a3 986->997 989->974 1014 11c9565-11c956f 1008->1014 1015 11c9571 1008->1015 1016 11c9573-11c9576 1009->1016 1014->1016 1015->1016
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (o]q$$]q$$]q
                                                        • API String ID: 0-989248301
                                                        • Opcode ID: a5e7b5f79443bee77b02671039f2d0d3693821773ae68b56a04e92bdc07ad9bd
                                                        • Instruction ID: 536a70081a78b4c51481beeb7e7c498510f0db07c3a317e7b1b9201e23fcafe3
                                                        • Opcode Fuzzy Hash: a5e7b5f79443bee77b02671039f2d0d3693821773ae68b56a04e92bdc07ad9bd
                                                        • Instruction Fuzzy Hash: 52727170A002188FEB599BA4C960B9EBBB7FF85300F1080ADD51A6B3A5CF359E45CF55
                                                        Function 011C6140 Relevance: 2.8, Strings: 2, Instructions: 340COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2120 11c6140-11c6162 2121 11c6178-11c6183 2120->2121 2122 11c6164-11c6168 2120->2122 2123 11c6189-11c618b 2121->2123 2124 11c622b-11c6257 2121->2124 2125 11c616a-11c6176 2122->2125 2126 11c6190-11c6197 2122->2126 2127 11c6223-11c6228 2123->2127 2132 11c625e-11c62b6 2124->2132 2125->2121 2125->2126 2128 11c6199-11c61a0 2126->2128 2129 11c61b7-11c61c0 2126->2129 2128->2129 2130 11c61a2-11c61ad 2128->2130 2231 11c61c2 call 11c6130 2129->2231 2232 11c61c2 call 11c6140 2129->2232 2130->2132 2133 11c61b3-11c61b5 2130->2133 2153 11c62b8-11c62be 2132->2153 2154 11c62c5-11c62d6 call 11c2a50 2132->2154 2133->2127 2134 11c61c8-11c61ca 2136 11c61cc-11c61d0 2134->2136 2137 11c61d2-11c61da 2134->2137 2136->2137 2138 11c61ed-11c61fe 2136->2138 2139 11c61dc-11c61e1 2137->2139 2140 11c61e9-11c61eb 2137->2140 2233 11c6201 call 11c6988 2138->2233 2234 11c6201 call 11c6a20 2138->2234 2139->2140 2140->2127 2143 11c6207-11c620c 2146 11c620e-11c6217 2143->2146 2147 11c6221 2143->2147 2224 11c6219 call 11c947d 2146->2224 2225 11c6219 call 11c8838 2146->2225 2226 11c6219 call 11c8848 2146->2226 2147->2127 2149 11c621f 2149->2127 2153->2154 2157 11c62dc-11c62e0 2154->2157 2158 11c636a-11c636c 2154->2158 2159 11c62f0-11c62fd 2157->2159 2160 11c62e2-11c62ee 2157->2160 2227 11c636e call 11c6130 2158->2227 2228 11c636e call 11c6140 2158->2228 2168 11c62ff-11c6309 2159->2168 2160->2168 2161 11c6374-11c637a 2162 11c637c-11c6382 2161->2162 2163 11c6386-11c638d 2161->2163 2166 11c63e8-11c6447 2162->2166 2167 11c6384 2162->2167 2183 11c644e-11c647e 2166->2183 2167->2163 2171 11c630b-11c631a 2168->2171 2172 11c6336-11c633a 2168->2172 2181 11c631c-11c6323 2171->2181 2182 11c632a-11c6334 2171->2182 2173 11c633c-11c6342 2172->2173 2174 11c6346-11c634a 2172->2174 2177 11c6344 2173->2177 2178 11c6390-11c63e1 2173->2178 2174->2163 2179 11c634c-11c6350 2174->2179 2177->2163 2178->2166 2179->2183 2184 11c6356-11c6368 2179->2184 2181->2182 2182->2172 2195 11c6480-11c648d 2183->2195 2196 11c64a3-11c64b0 2183->2196 2184->2163 2201 11c649f-11c64a1 2195->2201 2202 11c648f-11c649d 2195->2202 2204 11c64b2-11c64bc 2196->2204 2201->2204 2202->2204 2210 11c64be-11c64cc 2204->2210 2211 11c64e4 2204->2211 2215 11c64ce-11c64d2 2210->2215 2216 11c64d9-11c64e2 2210->2216 2229 11c64e6 call 11c6600 2211->2229 2230 11c64e6 call 11c65f1 2211->2230 2214 11c64ec-11c64f0 2217 11c6509-11c650d 2214->2217 2218 11c64f2-11c6507 2214->2218 2215->2216 2216->2211 2219 11c650f-11c6524 2217->2219 2220 11c652b-11c6531 2217->2220 2218->2220 2219->2220 2224->2149 2225->2149 2226->2149 2227->2161 2228->2161 2229->2214 2230->2214 2231->2134 2232->2134 2233->2143 2234->2143
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Haq$Haq
                                                        • API String ID: 0-4016896955
                                                        • Opcode ID: 9f3cb825d0163f0a8c61def5e8a9e071370e4a5b312e87dcec4a4e12579f56e5
                                                        • Instruction ID: a0c835a28e36644987c2a998db3e87bcf2349abe514b5491a72425e7214b105e
                                                        • Opcode Fuzzy Hash: 9f3cb825d0163f0a8c61def5e8a9e071370e4a5b312e87dcec4a4e12579f56e5
                                                        • Instruction Fuzzy Hash: 47C1DE307042519FDB1E9F28D894A6E7BA2BFD9700B15846DE906CB396DF34DC42CB91
                                                        Function 011C6600 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2317 11c6600-11c660d 2318 11c660f-11c6613 2317->2318 2319 11c6615-11c6617 2317->2319 2318->2319 2320 11c661c-11c6627 2318->2320 2321 11c6828-11c682f 2319->2321 2322 11c662d-11c6634 2320->2322 2323 11c6830 2320->2323 2324 11c67c9-11c67cf 2322->2324 2325 11c663a-11c6649 2322->2325 2326 11c6835-11c686d 2323->2326 2328 11c67d5-11c67d9 2324->2328 2329 11c67d1-11c67d3 2324->2329 2325->2326 2327 11c664f-11c665e 2325->2327 2347 11c686f-11c6874 2326->2347 2348 11c6876-11c687a 2326->2348 2335 11c6660-11c6663 2327->2335 2336 11c6673-11c6676 2327->2336 2330 11c67db-11c67e1 2328->2330 2331 11c6826 2328->2331 2329->2321 2330->2323 2332 11c67e3-11c67e6 2330->2332 2331->2321 2332->2323 2337 11c67e8-11c67fd 2332->2337 2338 11c6665-11c6668 2335->2338 2339 11c6682-11c6688 2335->2339 2336->2339 2340 11c6678-11c667b 2336->2340 2354 11c67ff-11c6805 2337->2354 2355 11c6821-11c6824 2337->2355 2342 11c666e 2338->2342 2343 11c6769-11c676f 2338->2343 2349 11c668a-11c6690 2339->2349 2350 11c66a0-11c66bd 2339->2350 2344 11c667d 2340->2344 2345 11c66ce-11c66d4 2340->2345 2351 11c6794-11c67a1 2342->2351 2359 11c6787-11c6791 2343->2359 2360 11c6771-11c6777 2343->2360 2344->2351 2352 11c66ec-11c66fe 2345->2352 2353 11c66d6-11c66dc 2345->2353 2356 11c6880-11c6882 2347->2356 2348->2356 2357 11c6694-11c669e 2349->2357 2358 11c6692 2349->2358 2387 11c66c6-11c66c9 2350->2387 2378 11c67b5-11c67b7 2351->2378 2379 11c67a3-11c67a7 2351->2379 2381 11c670e-11c6731 2352->2381 2382 11c6700-11c670c 2352->2382 2361 11c66de 2353->2361 2362 11c66e0-11c66ea 2353->2362 2363 11c6817-11c681a 2354->2363 2364 11c6807-11c6815 2354->2364 2355->2321 2365 11c6884-11c6896 2356->2365 2366 11c6897-11c689e 2356->2366 2357->2350 2358->2350 2359->2351 2367 11c6779 2360->2367 2368 11c677b-11c6785 2360->2368 2361->2352 2362->2352 2363->2323 2373 11c681c-11c681f 2363->2373 2364->2323 2364->2363 2367->2359 2368->2359 2373->2354 2373->2355 2385 11c67bb-11c67be 2378->2385 2379->2378 2384 11c67a9-11c67ad 2379->2384 2381->2323 2393 11c6737-11c673a 2381->2393 2391 11c6759-11c6767 2382->2391 2384->2323 2388 11c67b3 2384->2388 2385->2323 2389 11c67c0-11c67c3 2385->2389 2387->2351 2388->2385 2389->2324 2389->2325 2391->2351 2393->2323 2395 11c6740-11c6752 2393->2395 2395->2391
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ,aq$,aq
                                                        • API String ID: 0-2990736959
                                                        • Opcode ID: 2fc86aa358193332d10ca904a3c9e567e6e15f42093756b1316639ac26d4c2cd
                                                        • Instruction ID: ea543ae4b4ccff6161cefd8ceb29fc1cb2b550746254422673a36b33d039d3ab
                                                        • Opcode Fuzzy Hash: 2fc86aa358193332d10ca904a3c9e567e6e15f42093756b1316639ac26d4c2cd
                                                        • Instruction Fuzzy Hash: AF81CD74A006158FDB1CCF6DC8849AABBB2FF98A04B15846DD505DB3A5DB31EC41CF91
                                                        Function 00DFC76C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2642 dfc76c 2643 dfc82b-dfc83c 2642->2643 2644 dfc83e 2643->2644 2645 dfc843-dfc84c 2643->2645 2644->2645 2647 dfc623-dfc648 2645->2647 2648 dfc852-dfc865 2645->2648 2649 dfc64f-dfc686 2647->2649 2650 dfc64a 2647->2650 2651 dfc86c-dfc887 2648->2651 2652 dfc867 2648->2652 2660 dfc68d-dfc6bf 2649->2660 2661 dfc688 2649->2661 2650->2649 2653 dfc88e-dfc8a2 2651->2653 2654 dfc889 2651->2654 2652->2651 2658 dfc8a9-dfc8bf LdrInitializeThunk 2653->2658 2659 dfc8a4 2653->2659 2654->2653 2662 dfc8c1-dfc9bf 2658->2662 2659->2658 2667 dfc723-dfc736 2660->2667 2668 dfc6c1-dfc6e6 2660->2668 2661->2660 2665 dfc9c7-dfc9d1 2662->2665 2666 dfc9c1-dfc9c6 call df5ca8 2662->2666 2666->2665 2673 dfc73d-dfc762 2667->2673 2674 dfc738 2667->2674 2670 dfc6ed-dfc71b 2668->2670 2671 dfc6e8 2668->2671 2670->2667 2671->2670 2677 dfc764-dfc765 2673->2677 2678 dfc771-dfc7a9 2673->2678 2674->2673 2677->2648 2679 dfc7ab 2678->2679 2680 dfc7b0-dfc811 call dfc168 2678->2680 2679->2680 2686 dfc818-dfc82a 2680->2686 2687 dfc813 2680->2687 2686->2643 2687->2686
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 00DFC8AE
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243055121.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_df0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 47ad2b86ab42290f63f3a3f812241f7808c07b7ca640ab2cd12412475a7065c1
                                                        • Instruction ID: e14d46cc552b9a5370e8a9d5e4aff638dfddb9d459b67efa5e9a50de7526dad2
                                                        • Opcode Fuzzy Hash: 47ad2b86ab42290f63f3a3f812241f7808c07b7ca640ab2cd12412475a7065c1
                                                        • Instruction Fuzzy Hash: BC119AB4E1120D8FCB04DBA8D584AFDBBB5FF88305F65D165EA04A7242D730E941CB60
                                                        Function 011C5F08 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d8bq
                                                        • API String ID: 0-3484500975
                                                        • Opcode ID: 11179ad70a9a9b9f9fbc419053b76ccb1fc5f0db704b4afb2a24c404c0604d50
                                                        • Instruction ID: e7ce53d31bdfe525384df94b28da1344967a71a8229bcb59a85db2f6ecc53032
                                                        • Opcode Fuzzy Hash: 11179ad70a9a9b9f9fbc419053b76ccb1fc5f0db704b4afb2a24c404c0604d50
                                                        • Instruction Fuzzy Hash: 8841DD30300A018FC72DAB3EE854A2A7BE6AF95700F15487DE546CB3A1EB64EC05CB91
                                                        Function 011C2537 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (&]q
                                                        • API String ID: 0-1343553580
                                                        • Opcode ID: 96ce52a410bc4a02f7ab399873495921b36fbba0fb8b9f14052420c3661e9fcd
                                                        • Instruction ID: 9c0f463b86f76432c8ae2c8d13cf8dd5c43be3462a95fcffabe416cf5a94a23c
                                                        • Opcode Fuzzy Hash: 96ce52a410bc4a02f7ab399873495921b36fbba0fb8b9f14052420c3661e9fcd
                                                        • Instruction Fuzzy Hash: 9D415531F002198BDB19DFA9C8906DEBBB2AF95B00F14851DE416B7384DF70AD46CBA1
                                                        Function 011C8308 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q
                                                        • API String ID: 0-1259897404
                                                        • Opcode ID: e58671acb999748be1f7648ac76dde3e77655362492595587f22bc5fc93cfc88
                                                        • Instruction ID: 5b779c83cc9da6c4054c1e0c1a72456030f677719eaf8b2a9befedcb884e153d
                                                        • Opcode Fuzzy Hash: e58671acb999748be1f7648ac76dde3e77655362492595587f22bc5fc93cfc88
                                                        • Instruction Fuzzy Hash: 98413575604119DFCB19DF28D888AAE7BB6BF48B10F010069FA168B3B1CB70DC41CBA1
                                                        Function 011C26F7 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M
                                                        • API String ID: 0-3664761504
                                                        • Opcode ID: 53c0b985c4772ab25c8b6abca8620941caa3a694f90f4f89b5444eba04f1633a
                                                        • Instruction ID: e9220b4cf36184f62b0174c34139c625f4c58e3dc6205778c91a496742dcdf7e
                                                        • Opcode Fuzzy Hash: 53c0b985c4772ab25c8b6abca8620941caa3a694f90f4f89b5444eba04f1633a
                                                        • Instruction Fuzzy Hash: 2C313731B042589BCB0AEFB8D8505AE3F72EFA5740B10449EE906E7292DF319C128771
                                                        Function 011C8640 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4']q
                                                        • API String ID: 0-1259897404
                                                        • Opcode ID: 9719493ea34b3e9fd204e1bef03defce2f355c4df2611a4e3d43671d72d6f611
                                                        • Instruction ID: 28bc09cade9ff0054e7e2438eb6fabd40507d34e812df4a1973388f83d2d9690
                                                        • Opcode Fuzzy Hash: 9719493ea34b3e9fd204e1bef03defce2f355c4df2611a4e3d43671d72d6f611
                                                        • Instruction Fuzzy Hash: 6821C7313082658FDB1DDE69D8C0ABF7FEAABA5A01B05842EE516C7244EB74D850CB61
                                                        Function 011C68A1 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (o]q
                                                        • API String ID: 0-794736227
                                                        • Opcode ID: 8940a727bd6d60b51c7911e6219070309cd9396b8726bf7810dba24ec1e040cb
                                                        • Instruction ID: 000d4dc758533f1f6f26fc98e3c65b2de5dcdb1d3646aa25a96b72138c12bc6e
                                                        • Opcode Fuzzy Hash: 8940a727bd6d60b51c7911e6219070309cd9396b8726bf7810dba24ec1e040cb
                                                        • Instruction Fuzzy Hash: 562125317002004FCB08AFBD9940AAA7FEAEFC5644B1145789505CB35AEE74EC06C7B0
                                                        Function 011C5EF8 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d8bq
                                                        • API String ID: 0-3484500975
                                                        • Opcode ID: 1cb934d50b1d44e3c34b6d9068fdc57003a9e7f12ca3711e27a732404411e1ba
                                                        • Instruction ID: 122a5a433be8fea9ec29d9828e7e1c3df4b685c8d0f8e59b33cb70c509566335
                                                        • Opcode Fuzzy Hash: 1cb934d50b1d44e3c34b6d9068fdc57003a9e7f12ca3711e27a732404411e1ba
                                                        • Instruction Fuzzy Hash: B211BF317007028FC72A9B2DD454B6EBBEAAF91750F058A2CD0968B265DB64E809C752
                                                        Function 011C84F8 Relevance: .2, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6225b9b757883c0aec9afbc5cc505701934fba9e993135bd9584f134d36e42b5
                                                        • Instruction ID: f267aeec5f87532614fb18c4eda4e700298701ceafe7f27b0f2a154f7cb029cc
                                                        • Opcode Fuzzy Hash: 6225b9b757883c0aec9afbc5cc505701934fba9e993135bd9584f134d36e42b5
                                                        • Instruction Fuzzy Hash: 2551AF317041258FD718DF3DD8D8A6A7BE9BF99A4030A44AEE516CB366EB30DC01CB51
                                                        Function 011C44F0 Relevance: .2, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0d8865d8714a892b4c9d3942c24a49c901be8b0a1bf72d88919deda4e25245b
                                                        • Instruction ID: 76506a4daae451e0afe653edf9c6aea126dd69a5d6db6be358d93ddc2efa7fce
                                                        • Opcode Fuzzy Hash: a0d8865d8714a892b4c9d3942c24a49c901be8b0a1bf72d88919deda4e25245b
                                                        • Instruction Fuzzy Hash: F881A374E412289FDB69DF29D890BEDBBB2BB89700F1080EAD449A7354DB705E85CF40
                                                        Function 011C5868 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 723df0074a5e1c0a0fb36580d7b87fe8f68a808f0c9f8da145658990d8b342dc
                                                        • Instruction ID: 1ee28d16762736ce0b76a0d7ba24459a7ead3191b9c12273d47d808cdd5305fa
                                                        • Opcode Fuzzy Hash: 723df0074a5e1c0a0fb36580d7b87fe8f68a808f0c9f8da145658990d8b342dc
                                                        • Instruction Fuzzy Hash: 9831A030704209AFCB4AAF64E9546AF7BB3EB59710F008029F91587295DB35DE55CBA0
                                                        Function 011C8729 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76308c38fb7cb35886464cba989e6a49f6e55940aeafeb44a62ded88526c9ab0
                                                        • Instruction ID: ea1c3bea9d9423f720f88787ce0f7594060ccab2a15958803f006a789f56c6e3
                                                        • Opcode Fuzzy Hash: 76308c38fb7cb35886464cba989e6a49f6e55940aeafeb44a62ded88526c9ab0
                                                        • Instruction Fuzzy Hash: 8B21C4307006104BDB2E573DA8D463E7697AFD9A15714403DD906CB7A6EF38CC42D792
                                                        Function 011C8738 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42a095ab77aa715a2d4b35ef8c5a0fd1608c0cea4af3c1c2d734a9686b1352f2
                                                        • Instruction ID: 7add8e127cb8cc4ad9d0ec748cdc444550e2087f2c5ee10777fc388008c52f42
                                                        • Opcode Fuzzy Hash: 42a095ab77aa715a2d4b35ef8c5a0fd1608c0cea4af3c1c2d734a9686b1352f2
                                                        • Instruction Fuzzy Hash: 2D21AF347002114BDB2E672EA8E463F759BAFD8A15F14803DD506CB799EB79CC82D391
                                                        Function 00D1D005 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3242821088.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_d1d000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 60346f1f272510c8062c9d27e9ef6fe00111f16e65abc37dd65484546b2ce46d
                                                        • Instruction ID: 43d21102326fc3eea7872abf2593028c16cc0f491a58015ce27f212959b2c7b6
                                                        • Opcode Fuzzy Hash: 60346f1f272510c8062c9d27e9ef6fe00111f16e65abc37dd65484546b2ce46d
                                                        • Instruction Fuzzy Hash: AB316F7150D3C49FC713CB24D890711BF71AB46214F29C5DBD9898F2A3C33A984ACB62
                                                        Function 00D1D030 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3242821088.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_d1d000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 788ffb5cd6e3921e4043bbc092204aa54d9a1a377060f4d249f8058fda525e00
                                                        • Instruction ID: 2fcbf0515094bf6b3a23d5f93ff0a9a93e7c4f6a8752b983a69cb8381d284aa9
                                                        • Opcode Fuzzy Hash: 788ffb5cd6e3921e4043bbc092204aa54d9a1a377060f4d249f8058fda525e00
                                                        • Instruction Fuzzy Hash: 8E21F575504204EFCB14DF14E980B66BB66FB88314F24C569E9494B256C73AD886CA72
                                                        Function 011C5858 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d19d4da6b36d21ef48dc0650fd725cbd6539ebd6a8c4a3160155f44bf60004b
                                                        • Instruction ID: 3a5616ea6b629da12e959401928b95f0c1612e8523be92e8a98c9595d9746cd8
                                                        • Opcode Fuzzy Hash: 5d19d4da6b36d21ef48dc0650fd725cbd6539ebd6a8c4a3160155f44bf60004b
                                                        • Instruction Fuzzy Hash: 8021FF30B042589FCB59AF68E4447AF7BB2EB99B10F00803DF9158B349D734AE55CBA0
                                                        Function 011C2270 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df3384d74c1609df5221860ca9a5a194daf87706d1eb0812b4cca1f328295cd8
                                                        • Instruction ID: 958f20bdb500574c2adc37cfd994342f6640a1421e3df44093ed08c5c11a1305
                                                        • Opcode Fuzzy Hash: df3384d74c1609df5221860ca9a5a194daf87706d1eb0812b4cca1f328295cd8
                                                        • Instruction Fuzzy Hash: CE112672800249DFDB10DF99D944BEEBFF5EB48320F148419E618A7250D379A550DFA1
                                                        Function 011C2990 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be2f79e8a4dd7683d024a9118140dfa7867c2c050569c58074defec2506bd513
                                                        • Instruction ID: ea71353dffbd1b3a1ba6c63b6e92c8b9dc0ec1198fa3d39e6473bdcec704799e
                                                        • Opcode Fuzzy Hash: be2f79e8a4dd7683d024a9118140dfa7867c2c050569c58074defec2506bd513
                                                        • Instruction Fuzzy Hash: 9F112676800249DFDB20DF99C944BEEBFF5EF48320F14845AE958A7250C339A554DFA1
                                                        Function 011C1EB9 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a264a6001fe1963a17bfcaa439ed75e8f19e40a1a6702b0f5c7f9f7f51f10d85
                                                        • Instruction ID: fb3241040fe30eb2b324b302aeedca6f7bbe1dfd3b67165098cb6f9bd214a1f0
                                                        • Opcode Fuzzy Hash: a264a6001fe1963a17bfcaa439ed75e8f19e40a1a6702b0f5c7f9f7f51f10d85
                                                        • Instruction Fuzzy Hash: E6118834E00119CFDB05DFE8D850BEEBBB5AF58301F408065E808A7346E73099418F11
                                                        Function 011C60A0 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b48683408793387b8080ac2670d89b7f1dc22161d4895d0421332e35369a6001
                                                        • Instruction ID: 1f956c7379ca49419386e02d92da318e5a57b9530c012bad7fcedfc6a54e58f8
                                                        • Opcode Fuzzy Hash: b48683408793387b8080ac2670d89b7f1dc22161d4895d0421332e35369a6001
                                                        • Instruction Fuzzy Hash: FB012673A042586FDB1A8E64AC50BEF3FB6EBD5750F05803AF601D7241D7318912CB61
                                                        Function 011C60B0 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b33d28bb10b8ea67b35b89a5cfdeb252103da806afc7d057d161fe5085e8ed40
                                                        • Instruction ID: fd8a2d1b619c20c66531bb2b464d064591d1f127a32846e92f5bbf5b0f1987cf
                                                        • Opcode Fuzzy Hash: b33d28bb10b8ea67b35b89a5cfdeb252103da806afc7d057d161fe5085e8ed40
                                                        • Instruction Fuzzy Hash: 710126327000187B8B4D9E58A810AAF3BEBEBC9B50F05802DF605E3380DB319D118BA5
                                                        Function 011C2752 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6eb20c70178ad81b7cb8b468fb94b3644682cdd82899faefb0e5ef5fcadcdc6c
                                                        • Instruction ID: d5dc115b38d728e5213c8024ebd3f792fc57019335fa998a515b71cc796229ff
                                                        • Opcode Fuzzy Hash: 6eb20c70178ad81b7cb8b468fb94b3644682cdd82899faefb0e5ef5fcadcdc6c
                                                        • Instruction Fuzzy Hash: 6BF090322042197F9F0A9EA8E8509AF7BABFBC9324B10446DF509D7260DB32991197A5
                                                        Function 011C2758 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 74b9a995833bd57fdae91c2430ebd0eb285340380541a2ef6143605ba8ffffdf
                                                        • Instruction ID: c1679f499dfd45610ee3ec2a615420a13f6e9279385002c86d3e3087b5be0d38
                                                        • Opcode Fuzzy Hash: 74b9a995833bd57fdae91c2430ebd0eb285340380541a2ef6143605ba8ffffdf
                                                        • Instruction Fuzzy Hash: A6F082363042197B9F099E98E8549EF7BABEBC8360B10842DFA09D3350DF319D1197A5
                                                        Function 011C947D Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ed6abda67c84de04a50034a10c94ebbb68d4566feac5eaeb65e05178f602236
                                                        • Instruction ID: 9eed501b5de8154bf451e5c68804d81aad4057c0baf6fe7eae3a581c79fc220d
                                                        • Opcode Fuzzy Hash: 9ed6abda67c84de04a50034a10c94ebbb68d4566feac5eaeb65e05178f602236
                                                        • Instruction Fuzzy Hash: 52D0673AB40018AFCB159F98E8908DDFB76FB98221B058126E925A3265C6319965DB50
                                                        Function 011C68B0 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab77299cdc5ec47dbb13c2870034b1e1b4237aeedb16932bbf25f2a59fb9d1a1
                                                        • Instruction ID: 13b707a330569e517127f30ba0e96522e9c547a91b65170200027ad036d50863
                                                        • Opcode Fuzzy Hash: ab77299cdc5ec47dbb13c2870034b1e1b4237aeedb16932bbf25f2a59fb9d1a1
                                                        • Instruction Fuzzy Hash: A8C012301443184EC649FB65F985916772EAAC02047509530A0160E25EEF785D4D8B94

                                                        Non-executed Functions

                                                        Function 011C9CA0 Relevance: .4, Instructions: 395COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9410212cbcc45a0ada4e42cd94d7ec5e96485271922b606e471f1be4618dd10d
                                                        • Instruction ID: 88e25e0f0d4737209af296f061265f87ddd6841c38687cc3fe4d9417c8a34820
                                                        • Opcode Fuzzy Hash: 9410212cbcc45a0ada4e42cd94d7ec5e96485271922b606e471f1be4618dd10d
                                                        • Instruction Fuzzy Hash: 31020974E00218CFDB19DFA9C984B9DBBB2BF58304F1580A9D809AB365DB35AD85CF50
                                                        Function 011CC530 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f26e58f84137587c7236dfb6313e670e7d84cbaeab331bbd6294dfc97b2f6430
                                                        • Instruction ID: 41226555f4acc6f0c1f7bb5e3aa13bbd98069e21a754dff231a2e82a3b308cba
                                                        • Opcode Fuzzy Hash: f26e58f84137587c7236dfb6313e670e7d84cbaeab331bbd6294dfc97b2f6430
                                                        • Instruction Fuzzy Hash: 3BC1A174E00218CFDB58DFA9D954B9DBBB2BF89300F1090A9D409AB369DB359E85CF50
                                                        Function 011CE928 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d78c7008cf7cd9a2291b91e5e8c7bd10537b70eddb71c0289db33a7a3737735
                                                        • Instruction ID: 8e14c5d69cb509210641cf1620f693aa5ef47d7cd429fd53d4bd62fbf118b9d7
                                                        • Opcode Fuzzy Hash: 2d78c7008cf7cd9a2291b91e5e8c7bd10537b70eddb71c0289db33a7a3737735
                                                        • Instruction Fuzzy Hash: 9DC1C474E01218CFDB58DFA9D954BADBBB2BF88300F1090A9D409AB355DB359E85CF11
                                                        Function 011C0D48 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f7a9664c03e9899c299d08d1e3a4c89fe20acc8ea3eeaec5cd7c73dd8ded36e
                                                        • Instruction ID: e052044bea896ce21aabe284d44c473aacfda58872b35ced6b8a1c6060e43b8e
                                                        • Opcode Fuzzy Hash: 0f7a9664c03e9899c299d08d1e3a4c89fe20acc8ea3eeaec5cd7c73dd8ded36e
                                                        • Instruction Fuzzy Hash: BEC1C174E00218CFDB18DFA5D954B9DBBB2BF89300F1080A9D809AB369DB359E85CF51
                                                        Function 011CC988 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3f3cce3cb7a61b3cbcd8eb89a249651a3f31d28f9c5ffcffbbbee891ac61c599
                                                        • Instruction ID: bb24fb50da585ee810beff0ba89d2d914663a45ff0575f0c5ee259b2df2c6593
                                                        • Opcode Fuzzy Hash: 3f3cce3cb7a61b3cbcd8eb89a249651a3f31d28f9c5ffcffbbbee891ac61c599
                                                        • Instruction Fuzzy Hash: 8EC1C374E00218CFDB58DFA9D954B9DBBB2BF89300F1080A9D409AB359DB359E85CF51
                                                        Function 011CED80 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8ddade41df72b12c09fa74b649f1f00d6e330fd9942ef5ba50b20729b05ce93a
                                                        • Instruction ID: 527ea580413ed195bfc31962ced150f39c54b97f5b8ad2ee67b3f88480b7b73a
                                                        • Opcode Fuzzy Hash: 8ddade41df72b12c09fa74b649f1f00d6e330fd9942ef5ba50b20729b05ce93a
                                                        • Instruction Fuzzy Hash: 36C1B274E00218CFDB58DFA5D954B9DBBB2BF89300F2080A9D409AB369DB359E85CF50
                                                        Function 011C11A0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e2d1389fc812057dfcb2efd5b3bbe0adf70b672afeabfca0bdf5195c7b1e259
                                                        • Instruction ID: e2159d92db649c3d82820ab5e10d5be9fbd7f8b579384e5eb9569f6afe3664d7
                                                        • Opcode Fuzzy Hash: 5e2d1389fc812057dfcb2efd5b3bbe0adf70b672afeabfca0bdf5195c7b1e259
                                                        • Instruction Fuzzy Hash: BFC1C274E00218CFDB19DFA5D954B9DBBB2BF89300F2090A9D809AB359DB359E85CF10
                                                        Function 011CF1D8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 443451e408c16a78b5a183c8f932fb06c992fb37371bf787c07597761fc22401
                                                        • Instruction ID: 53fba8556d9461961e5a7e4b0d81f832917043280748611055d1879ad8ed8a72
                                                        • Opcode Fuzzy Hash: 443451e408c16a78b5a183c8f932fb06c992fb37371bf787c07597761fc22401
                                                        • Instruction Fuzzy Hash: 1CC1B374E00218CFDB58DFA5D954B9DBBB2BF89300F1090A9D409AB359DB359E86CF14
                                                        Function 011CCDE0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: caa80e5d62e8f6a76fa6bb523a7fda2fe3220c608d123104ca9c4834b0566214
                                                        • Instruction ID: 3d379464fc50e3d265c1742e67bb8b7e52b904d4bc50c05333bad761b19eca0c
                                                        • Opcode Fuzzy Hash: caa80e5d62e8f6a76fa6bb523a7fda2fe3220c608d123104ca9c4834b0566214
                                                        • Instruction Fuzzy Hash: ECC1B374E00218CFDB58DFA9D954B9DBBB2BF89300F1090A9D809AB355DB359E85CF50
                                                        Function 011CB828 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b026ee86167659a0c9054c6cbf838921cd6cb3511895b1f4ba26282722f6148a
                                                        • Instruction ID: fb71287c84378c2539348da7503ea0aef9432d560ee4fde3828f96dc0c6fa0c8
                                                        • Opcode Fuzzy Hash: b026ee86167659a0c9054c6cbf838921cd6cb3511895b1f4ba26282722f6148a
                                                        • Instruction Fuzzy Hash: 8BC1C274E00218CFDB18DFA5D954B9DBBB2BF89300F1090A9D409AB369DB359E85CF14
                                                        Function 011CDC20 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 54db89b7ed506c0108e2a93826532b03ed18ea344d9ce8248e0ccf030e8fa564
                                                        • Instruction ID: 761cc98516f26283839dd5462af838536c65f93499876aa05b64db4a95076593
                                                        • Opcode Fuzzy Hash: 54db89b7ed506c0108e2a93826532b03ed18ea344d9ce8248e0ccf030e8fa564
                                                        • Instruction Fuzzy Hash: 2EC1B274E00218CFDB58DFA5D994B9DBBB2BF89300F1090A9D409AB369DB359E85CF50
                                                        Function 011C3C50 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e0966e4a08602ba5fe79c16bd4ad9038cfbab137f46000a6e0654915e6b8cb9c
                                                        • Instruction ID: cfc53d1a9c6cf93a309eb231cf7cd7cb99d3b48cac487a4e272c8f4055a12672
                                                        • Opcode Fuzzy Hash: e0966e4a08602ba5fe79c16bd4ad9038cfbab137f46000a6e0654915e6b8cb9c
                                                        • Instruction Fuzzy Hash: 93C1B274E00218CFDB18DFA9D954B9DBBB2BF89300F1094A9D409AB369DB359E85CF50
                                                        Function 011C0040 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4194747173a9d859b0c97a74aee9e96501bc386501ae777265b492526a246681
                                                        • Instruction ID: 0354edfa0a8846736914318957671abca676892c0906100f6dac1c3ed507d142
                                                        • Opcode Fuzzy Hash: 4194747173a9d859b0c97a74aee9e96501bc386501ae777265b492526a246681
                                                        • Instruction Fuzzy Hash: A6C1B274E00218CFDB59DFA5D954B9DBBB2BF89300F1090A9E809AB359DB359E85CF10
                                                        Function 011CE078 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 739f88a65b2b1889abad7f250138fb89a4e8c22468b0858febdc659419ad6e92
                                                        • Instruction ID: 8fbe611a9048342b497c33cca3e0eb8c87373dfacef9b63b204d8c081e4452cd
                                                        • Opcode Fuzzy Hash: 739f88a65b2b1889abad7f250138fb89a4e8c22468b0858febdc659419ad6e92
                                                        • Instruction Fuzzy Hash: E7C1D274E01218CFDB18DFA5C954B9DBBB2BF89300F1090A9D409AB369DB359E85CF10
                                                        Function 011C0498 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8fd4d0159dcecb6cc99704e5c08f4f70d529368dd3144f5bcecde04efcf3ded
                                                        • Instruction ID: 93fcb1d28c601feeb1862461f8fdc6e641a221027de9f7682c0430144417edec
                                                        • Opcode Fuzzy Hash: e8fd4d0159dcecb6cc99704e5c08f4f70d529368dd3144f5bcecde04efcf3ded
                                                        • Instruction Fuzzy Hash: 24C1B274E00218CFDB59DFA5D954B9DBBB2BF88300F2080A9E809AB359DB355E85CF50
                                                        Function 011CBC80 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ba0eb6eca732d388a1ab28811d02af4558246379c651d3c707d2a0523b5c90a8
                                                        • Instruction ID: 18559234f2725fe827f5fa627c6443aab605734af5b18ecbeb4652e8f96e65db
                                                        • Opcode Fuzzy Hash: ba0eb6eca732d388a1ab28811d02af4558246379c651d3c707d2a0523b5c90a8
                                                        • Instruction Fuzzy Hash: BBC1B274E00218CFDB58DFA5D954BADBBB2BF89300F1080A9D809AB359DB359E85CF54
                                                        Function 011C40A8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 68aebdc1a649b422d758a33fe39e954c943ad1b429d34353299c7e2dc664dd1f
                                                        • Instruction ID: 0b63669ddfafe2ea0bf07261570c4e1e610968b98c724a4509f7d65be81192b5
                                                        • Opcode Fuzzy Hash: 68aebdc1a649b422d758a33fe39e954c943ad1b429d34353299c7e2dc664dd1f
                                                        • Instruction Fuzzy Hash: ECC1C374E00218CFDB18DFA5D954B9DBBB6BF89300F2090A9D409AB359DB359E85CF10
                                                        Function 011CC0D8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a69baa30df354b2d42b72d20bbe6a5233cfe317c21f129cdf45d942b8f1d963d
                                                        • Instruction ID: d18629b8a8f76451caf4de18ac950e2c5dfec80fac1a69760c39afd24e399718
                                                        • Opcode Fuzzy Hash: a69baa30df354b2d42b72d20bbe6a5233cfe317c21f129cdf45d942b8f1d963d
                                                        • Instruction Fuzzy Hash: 4BC1C374E00218CFDB58DFA9D954B9DBBB2BF89300F1090A9D409AB369DB359E85CF50
                                                        Function 011CE4D0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1219175aff4366fe7f1d6c0cf454b8fc579a52ced00a72249f6fd3d5fc10dc8f
                                                        • Instruction ID: 090ca0fddcf4098186f40cdd15a84b8d492d50683e9c53f4d806da1dd1dca6ee
                                                        • Opcode Fuzzy Hash: 1219175aff4366fe7f1d6c0cf454b8fc579a52ced00a72249f6fd3d5fc10dc8f
                                                        • Instruction Fuzzy Hash: 02C1B274E01218CFDB18DFA5D994B9DBBB2BF89300F1080A9D409AB369DB359E85CF51
                                                        Function 011C08F0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c87c2bd28430940c11f037e56132b9a449371f503b3d35ccba4ae95cb61e7b44
                                                        • Instruction ID: 6e97c5ab474a49bb1f88ce5e7d9f7b9808df2d959fdaca4d09c252bd84572ef6
                                                        • Opcode Fuzzy Hash: c87c2bd28430940c11f037e56132b9a449371f503b3d35ccba4ae95cb61e7b44
                                                        • Instruction Fuzzy Hash: C8C1B274E00218CFDB59DFA5D954B9DBBB2BF88300F2080A9D809AB359DB355E85CF15
                                                        Function 011CAB20 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f6931847e5e7704a464a307da8213d7dfac883b8f55d982a20e3879612b12ac
                                                        • Instruction ID: 11cd6a64ac8be84ffd64625c2d82a19d288436232501c4af447b14d0251f073e
                                                        • Opcode Fuzzy Hash: 8f6931847e5e7704a464a307da8213d7dfac883b8f55d982a20e3879612b12ac
                                                        • Instruction Fuzzy Hash: 76C1D174E00218CFDB19DFA5D954B9DBBB2BF88300F1080A9D809AB369DB359E85CF10
                                                        Function 011C2F48 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9a29dc550eeb53ab58357dc6c1902a7764d22570e89d1a14b8096df52da2877
                                                        • Instruction ID: 0ffc77e6ed1f51d07a7b0b43d48e53211030e6c5f0124d869b8d1f0872cf3d3c
                                                        • Opcode Fuzzy Hash: c9a29dc550eeb53ab58357dc6c1902a7764d22570e89d1a14b8096df52da2877
                                                        • Instruction Fuzzy Hash: C9C1C274E00218CFDB58DFA9D954B9DBBB2BF89300F1090A9D409AB369DB359E85CF14
                                                        Function 011CAF78 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 97cb0044538c50c1f1ebc0d2c413ec71d5a303c0ade9fcb8656c087685fcf15b
                                                        • Instruction ID: d000e93d72540d5dc6c3c2ff03d5b9002f06d5579fea5bb1b80600578295b517
                                                        • Opcode Fuzzy Hash: 97cb0044538c50c1f1ebc0d2c413ec71d5a303c0ade9fcb8656c087685fcf15b
                                                        • Instruction Fuzzy Hash: 70C1C374E00218CFDB18DFA5D954B9DBBB2BF89300F1090A9D809AB369DB359E85CF14
                                                        Function 011C33A0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69e28af923224edc794a73cd3ba5def0924bdccf7db7971b2094ff5ad5a7f4ab
                                                        • Instruction ID: 4ddd926ea031736d54cf4f7ce0ac92c69c2f51395b8c843db2885690a6cbb0c0
                                                        • Opcode Fuzzy Hash: 69e28af923224edc794a73cd3ba5def0924bdccf7db7971b2094ff5ad5a7f4ab
                                                        • Instruction Fuzzy Hash: 16C1C374E00218CFDB58DFA5D954B9DBBB2BF89300F2090A9D409AB369DB359E85CF50
                                                        Function 011CB3D0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f7b8bbbbe756e8042e553bb290b46ad7766835550c72010187fb5e86f7eb0dc
                                                        • Instruction ID: 96bb68afd6eb65275e3ad2e34cf3dca9808191eadf1cb88835d5e452044d264c
                                                        • Opcode Fuzzy Hash: 1f7b8bbbbe756e8042e553bb290b46ad7766835550c72010187fb5e86f7eb0dc
                                                        • Instruction Fuzzy Hash: 1FC1B174E00218CFDB58DFA5C955B9DBBB2BF88300F2080A9D809AB365DB359E85CF54
                                                        Function 011C37F8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34af65ddcd3e46c22dd82ebcb224c199beddbb4950610efa5cbf9a8dcd566adc
                                                        • Instruction ID: 3a45607820385e468571bcfcaf608b30fa9e7b170b152fc48e23fce09b68b623
                                                        • Opcode Fuzzy Hash: 34af65ddcd3e46c22dd82ebcb224c199beddbb4950610efa5cbf9a8dcd566adc
                                                        • Instruction Fuzzy Hash: 11C1B274E00218CFDB58DFA9D954B9DBBB2BF89300F1094A9D409AB369DB359E85CF10
                                                        Function 011CD238 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9bd9ea26123d7526443cbc84be27a4e2341fac98196c65578818c49a51fbb49
                                                        • Instruction ID: 5835f8d0691e086a6d0ff93542a62a67906da1801187fe78538fe0da75992da3
                                                        • Opcode Fuzzy Hash: e9bd9ea26123d7526443cbc84be27a4e2341fac98196c65578818c49a51fbb49
                                                        • Instruction Fuzzy Hash: ECC1B274E00218CFDB58DFA5D994B9DBBB2BF89300F1090A9D409AB369DB359E85CF50
                                                        Function 011CF630 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c89bc8cf3ffe3c6d366ce4a9823ed76092e1d652fe492091afff2688ed5a0f0d
                                                        • Instruction ID: 77716f8500c8d762a686e838db020f2885cc3da6ad4e619e0d77e09b9f345b40
                                                        • Opcode Fuzzy Hash: c89bc8cf3ffe3c6d366ce4a9823ed76092e1d652fe492091afff2688ed5a0f0d
                                                        • Instruction Fuzzy Hash: 37C1A274E00218CFDB58DFA9D954B9DBBB2BF89300F1090A9D409AB359DB359E86CF50
                                                        Function 011CA270 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0755a175ed69a12de8c4f4671cc55afe24cf47e430e48a64ce1e558e2973fb8
                                                        • Instruction ID: 3074f33a28f772c4940834fa3c5a7388a3dcbab29052675697973950f117935b
                                                        • Opcode Fuzzy Hash: f0755a175ed69a12de8c4f4671cc55afe24cf47e430e48a64ce1e558e2973fb8
                                                        • Instruction Fuzzy Hash: 14C1C174E00218CFDB19DFA5D954B9DBBB2BF89300F2080A9D409AB369DB359E85CF50
                                                        Function 011CD690 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d3b65049268d16288407b1b728ad87d158839cc30eb5d32f044297608ac2acf6
                                                        • Instruction ID: 7c34d16a6ef9a601c1bfe625b6450906e2b3d2de9126dc0b3aa13bb1327a5200
                                                        • Opcode Fuzzy Hash: d3b65049268d16288407b1b728ad87d158839cc30eb5d32f044297608ac2acf6
                                                        • Instruction Fuzzy Hash: BFC1B474E00218CFDB58DFA5D994B9DBBB2BF89300F1090A9D809AB359DB359E85CF50
                                                        Function 011CFA88 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f4eb5185b290400fe0f4cf1ff2119930a57c420de7e3b8025e160e7afff5223
                                                        • Instruction ID: da5d0b4e6258704c63040b4b87861652f5d19b20f82c00194f35d9ffad9e1278
                                                        • Opcode Fuzzy Hash: 4f4eb5185b290400fe0f4cf1ff2119930a57c420de7e3b8025e160e7afff5223
                                                        • Instruction Fuzzy Hash: 35C1B374E00218CFDB58DFA5D954B9DBBB2BF89300F1080A9D409AB359DB359E86CF54
                                                        Function 011CA6C8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c0f9130fda983f302979e4f13485f3ade4d3365eba99c2fbba4ad59dccdb3666
                                                        • Instruction ID: ce2a545b20e6ea8949855da9a2e534af2d727bac5ab45e6a38c4c709534e9794
                                                        • Opcode Fuzzy Hash: c0f9130fda983f302979e4f13485f3ade4d3365eba99c2fbba4ad59dccdb3666
                                                        • Instruction Fuzzy Hash: C7C1C274E00218CFDB19DFA9D954B9DBBB2BF89300F1080A9D409AB369DB359E85CF10
                                                        Function 011C2AF0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 111feec7ad3f7ab1ab240d4f6810af9980ac7cc7e8d1060193a7f9ab64cd030b
                                                        • Instruction ID: 6a1066eedf633e3a22469a8966ec8271b9bf6954a5f0a46f550b1b7a5830d3bf
                                                        • Opcode Fuzzy Hash: 111feec7ad3f7ab1ab240d4f6810af9980ac7cc7e8d1060193a7f9ab64cd030b
                                                        • Instruction Fuzzy Hash: D9C1B374E00218CFDB18DFA5D954B9DBBB2BF89300F1090A9D809AB359DB359E85CF10
                                                        Function 011C7770 Relevance: 5.3, Strings: 4, Instructions: 274COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.3243636749.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_11c0000_VSLS SCHEDULE_pdf.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (o]q$(o]q$(o]q$(o]q
                                                        • API String ID: 0-1261621458
                                                        • Opcode ID: 7524c50def5864fdad8cdac70b3ab7e22ece764830a8faa0194eed7e079ac1f8
                                                        • Instruction ID: 99fdebd10a939816ffa7e120456a45e66730c0592659495ce309a2264749d7d3
                                                        • Opcode Fuzzy Hash: 7524c50def5864fdad8cdac70b3ab7e22ece764830a8faa0194eed7e079ac1f8
                                                        • Instruction Fuzzy Hash: 79C1A930A002099FCB29CF69C984AAEBBF6FF58714F158599E915AB3A1D770EC41CF50