Edit tour

Windows Analysis Report
CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Overview

General Information

Sample name:	CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Analysis ID:	1586744
MD5:	acf6e91e329de13142c402ee51cdaace
SHA1:	6835138954d1db2eaff916a45993f0ffff66509d
SHA256:	b16a07537092452ea8939b87bb8eaced5dad19fa44f93146e4ba8d8bd943dc83
Tags:	exeuser-James_inthe_box
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CTM REQUEST-ETD JAN 22, 2024_pdf.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe" MD5: ACF6E91E329DE13142C402EE51CDAACE)

CTM REQUEST-ETD JAN 22, 2024_pdf.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe" MD5: ACF6E91E329DE13142C402EE51CDAACE)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "rts@rafinadumai.co.id", "Password": "rtsdumai2021", "Server": "mail.rafinadumai.co.id", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4094012987.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd822f:$a1: get_encryptedPassword 0xef05f:$a1: get_encryptedPassword 0x10649f:$a1: get_encryptedPassword 0xd8557:$a2: get_encryptedUsername 0xef387:$a2: get_encryptedUsername 0x1067c7:$a2: get_encryptedUsername 0xd7fca:$a3: get_timePasswordChanged 0xeedfa:$a3: get_timePasswordChanged 0x10623a:$a3: get_timePasswordChanged 0xd80eb:$a4: get_passwordField 0xeef1b:$a4: get_passwordField 0x10635b:$a4: get_passwordField 0xd8245:$a5: set_encryptedPassword 0xef075:$a5: set_encryptedPassword 0x1064b5:$a5: set_encryptedPassword 0xd9ba1:$a7: get_logins 0xf09d1:$a7: get_logins 0x107e11:$a7: get_logins 0xd9852:$a8: GetOutlookPasswords 0xf0682:$a8: GetOutlookPasswords 0x107ac2:$a8: GetOutlookPasswords
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x594b2:$a1: get_encryptedPassword 0x59740:$a2: get_encryptedUsername 0x5926e:$a3: get_timePasswordChanged 0x59382:$a4: get_passwordField 0x594c8:$a5: set_encryptedPassword 0x5a8bd:$a7: get_logins 0x5a610:$a8: GetOutlookPasswords 0x5a460:$a9: StartKeylogger 0x5a822:$a10: KeyLoggerEventArgs 0x5a4bd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31c74:$a1: get_encryptedPassword 0x31f8d:$a2: get_encryptedUsername 0x31a23:$a3: get_timePasswordChanged 0x31b44:$a4: get_passwordField 0x31c8a:$a5: set_encryptedPassword 0x3358d:$a7: get_logins 0x3323e:$a8: GetOutlookPasswords 0x33030:$a9: StartKeylogger 0x334dd:$a10: KeyLoggerEventArgs 0x3308d:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x2600f:$a1: get_encryptedPassword 0x3d44f:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26337:$a2: get_encryptedUsername 0x3d777:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25daa:$a3: get_timePasswordChanged 0x3d1ea:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25ecb:$a4: get_passwordField 0x3d30b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x26025:$a5: set_encryptedPassword 0x3d465:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27981:$a7: get_logins 0x3edc1:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27632:$a8: GetOutlookPasswords 0x3ea72:$a8: GetOutlookPasswords
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af95:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x423d5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a493:$a3: \Google\Chrome\User Data\Default\Login Data 0x418d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x2a7a1:$a4: \Orbitum\User Data\Default\Login Data 0x41be1:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data 0x2b599:$a5: \Kometa\User Data\Default\Login Data 0x429d9:$a5: \Kometa\User Data\Default\Login Data
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x52a4f:$a1: get_encryptedPassword 0x6987f:$a1: get_encryptedPassword 0x80cbf:$a1: get_encryptedPassword 0x52d77:$a2: get_encryptedUsername 0x69ba7:$a2: get_encryptedUsername 0x80fe7:$a2: get_encryptedUsername 0x527ea:$a3: get_timePasswordChanged 0x6961a:$a3: get_timePasswordChanged 0x80a5a:$a3: get_timePasswordChanged 0x5290b:$a4: get_passwordField 0x6973b:$a4: get_passwordField 0x80b7b:$a4: get_passwordField 0x52a65:$a5: set_encryptedPassword 0x69895:$a5: set_encryptedPassword 0x80cd5:$a5: set_encryptedPassword 0x543c1:$a7: get_logins 0x6b1f1:$a7: get_logins 0x82631:$a7: get_logins 0x54072:$a8: GetOutlookPasswords 0x6aea2:$a8: GetOutlookPasswords 0x822e2:$a8: GetOutlookPasswords
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x579d5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6e805:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x85c45:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x56ed3:$a3: \Google\Chrome\User Data\Default\Login Data 0x6dd03:$a3: \Google\Chrome\User Data\Default\Login Data 0x85143:$a3: \Google\Chrome\User Data\Default\Login Data 0x571e1:$a4: \Orbitum\User Data\Default\Login Data 0x6e011:$a4: \Orbitum\User Data\Default\Login Data 0x85451:$a4: \Orbitum\User Data\Default\Login Data 0x57fd9:$a5: \Kometa\User Data\Default\Login Data 0x6ee09:$a5: \Kometa\User Data\Default\Login Data 0x86249:$a5: \Kometa\User Data\Default\Login Data
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7f07f:$a1: get_encryptedPassword 0x95eaf:$a1: get_encryptedPassword 0xad2ef:$a1: get_encryptedPassword 0x7f3a7:$a2: get_encryptedUsername 0x961d7:$a2: get_encryptedUsername 0xad617:$a2: get_encryptedUsername 0x7ee1a:$a3: get_timePasswordChanged 0x95c4a:$a3: get_timePasswordChanged 0xad08a:$a3: get_timePasswordChanged 0x7ef3b:$a4: get_passwordField 0x95d6b:$a4: get_passwordField 0xad1ab:$a4: get_passwordField 0x7f095:$a5: set_encryptedPassword 0x95ec5:$a5: set_encryptedPassword 0xad305:$a5: set_encryptedPassword 0x809f1:$a7: get_logins 0x97821:$a7: get_logins 0xaec61:$a7: get_logins 0x806a2:$a8: GetOutlookPasswords 0x974d2:$a8: GetOutlookPasswords 0xae912:$a8: GetOutlookPasswords
0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x84005:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9ae35:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xb2275:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x83503:$a3: \Google\Chrome\User Data\Default\Login Data 0x9a333:$a3: \Google\Chrome\User Data\Default\Login Data 0xb1773:$a3: \Google\Chrome\User Data\Default\Login Data 0x83811:$a4: \Orbitum\User Data\Default\Login Data 0x9a641:$a4: \Orbitum\User Data\Default\Login Data 0xb1a81:$a4: \Orbitum\User Data\Default\Login Data 0x84609:$a5: \Kometa\User Data\Default\Login Data 0x9b439:$a5: \Kometa\User Data\Default\Login Data 0xb2879:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T15:23:58.536578+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Avira: detected

Found malware configuration

Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "rts@rafinadumai.co.id", "Password": "rtsdumai2021", "Server": "mail.rafinadumai.co.id", "Port": 587}

Multi AV Scanner detection for submitted file

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.0

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659617585.00000000031C2000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659617585.0000000003141000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 02645782h	2_2_02645358
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 026451B9h	2_2_02644F08
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 02645782h	2_2_026456AF
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8E778h	2_2_04C8E4D0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8BF28h	2_2_04C8BC80
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C80741h	2_2_04C80498
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8A0C0h	2_2_04C89CA0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C83EF8h	2_2_04C83C50
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8DEC8h	2_2_04C8DC20
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8D088h	2_2_04C8CDE0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C81935h	2_2_04C815F8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8F028h	2_2_04C8ED80
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C80FF1h	2_2_04C80D48
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8C7D8h	2_2_04C8C530
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8A970h	2_2_04C8A6C8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8D93Ah	2_2_04C8D690
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8F8D8h	2_2_04C8F630
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C83AA0h	2_2_04C837F8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C831F0h	2_2_04C82F48
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8B220h	2_2_04C8AF78
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8C380h	2_2_04C8C0D8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C80B99h	2_2_04C808F0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C84350h	2_2_04C840A8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C802E9h	2_2_04C80040
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8E320h	2_2_04C8E078
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8BAD0h	2_2_04C8B828
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8F480h	2_2_04C8F1D8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8CC30h	2_2_04C8C988
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C81449h	2_2_04C811A0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8EBD0h	2_2_04C8E928
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C82D98h	2_2_04C82AF0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8FD30h	2_2_04C8FA88
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8A518h	2_2_04C8A270
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8D4E0h	2_2_04C8D238
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8B678h	2_2_04C8B3D0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C83648h	2_2_04C833A0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 4x nop then jmp 04C8ADC8h	2_2_04C8AB20

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000294B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000294B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_055CE0A4	0_2_055CE0A4
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_072DEA68	0_2_072DEA68
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_072DB5E0	0_2_072DB5E0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_072D825A	0_2_072D825A
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_072D89E8	0_2_072D89E8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_072D89F8	0_2_072D89F8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07822718	0_2_07822718
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_078284A8	0_2_078284A8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_0782B4B2	0_2_0782B4B2
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07826300	0_2_07826300
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_0782C1D0	0_2_0782C1D0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07824F58	0_2_07824F58
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07821BA0	0_2_07821BA0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07849C70	0_2_07849C70
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07848308	0_2_07848308
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_0784C130	0_2_0784C130
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_07849C60	0_2_07849C60
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_078816E1	0_2_078816E1
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_0264C168	2_2_0264C168
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_0264CA58	2_2_0264CA58
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_026419B8	2_2_026419B8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_02647E68	2_2_02647E68
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_02644F08	2_2_02644F08
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_02642DD1	2_2_02642DD1
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_0264B9E0	2_2_0264B9E0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_0264B9D0	2_2_0264B9D0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_02647E59	2_2_02647E59
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_02644EF8	2_2_02644EF8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8E4D0	2_2_04C8E4D0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8E4C0	2_2_04C8E4C0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8048A	2_2_04C8048A
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8BC80	2_2_04C8BC80
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C80498	2_2_04C80498
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C89CA0	2_2_04C89CA0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C83C41	2_2_04C83C41
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C81C58	2_2_04C81C58
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C83C50	2_2_04C83C50
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8BC71	2_2_04C8BC71
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8DC11	2_2_04C8DC11
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8DC20	2_2_04C8DC20
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8CDD2	2_2_04C8CDD2
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C815EA	2_2_04C815EA
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8CDE0	2_2_04C8CDE0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C815F8	2_2_04C815F8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8ED80	2_2_04C8ED80
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C80D48	2_2_04C80D48
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8ED70	2_2_04C8ED70
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C84500	2_2_04C84500
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C80D3A	2_2_04C80D3A
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8C530	2_2_04C8C530
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8A6C8	2_2_04C8A6C8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8D681	2_2_04C8D681
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8D690	2_2_04C8D690
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8A6B9	2_2_04C8A6B9
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8F620	2_2_04C8F620
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8F630	2_2_04C8F630
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C837E8	2_2_04C837E8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C837F8	2_2_04C837F8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C87780	2_2_04C87780
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C82F48	2_2_04C82F48
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8AF68	2_2_04C8AF68
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8AF78	2_2_04C8AF78
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C82F38	2_2_04C82F38
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8C0CA	2_2_04C8C0CA
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8C0D8	2_2_04C8C0D8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C808DF	2_2_04C808DF
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C808F0	2_2_04C808F0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C84098	2_2_04C84098
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C840A8	2_2_04C840A8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C80040	2_2_04C80040
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8E068	2_2_04C8E068
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8E078	2_2_04C8E078
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C80006	2_2_04C80006
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8B818	2_2_04C8B818
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8B828	2_2_04C8B828
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8F1C8	2_2_04C8F1C8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8F1D8	2_2_04C8F1D8
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8C988	2_2_04C8C988
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8118F	2_2_04C8118F
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C811A0	2_2_04C811A0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8E928	2_2_04C8E928
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8E922	2_2_04C8E922
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C82AE0	2_2_04C82AE0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C82AF0	2_2_04C82AF0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8FA88	2_2_04C8FA88
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8A261	2_2_04C8A261
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8FA78	2_2_04C8FA78
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8A270	2_2_04C8A270
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8D238	2_2_04C8D238
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8B3C1	2_2_04C8B3C1
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8B3D0	2_2_04C8B3D0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C83391	2_2_04C83391
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C833A0	2_2_04C833A0
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C81B4A	2_2_04C81B4A
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8AB10	2_2_04C8AB10
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 2_2_04C8AB20	2_2_04C8AB20

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1656306724.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659617585.00000000031CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659617585.00000000031CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000000.1642922405.0000000000E12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNullProj.exe2 vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659617585.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelpWindow.exe( vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.00000000007AA000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092875229.0000000000757000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Binary or memory string: OriginalFilenameNullProj.exe2 vs CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTM REQUEST-ETD JAN 22, 2024_pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Mutant created: NULL

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000299E000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000298F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe "C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe"
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process created: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe "C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe"
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process created: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe "C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: 0xF3E56D3D [Mon Aug 31 22:39:57 2099 UTC]

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_072D555F push dword ptr [esp+ecx*2-75h]; ret	0_2_072D5563
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_078807A0 push esp; ret	0_2_07880BA5
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Code function: 0_2_0788226E pushfd ; ret	0_2_07882271

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Static PE information: section name: .text entropy: 7.803458129985861

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe TID: 7072

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4093358109.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Code function: 2_2_0264C168 LdrInitializeThunk,LdrInitializeThunk,

2_2_0264C168

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Memory written: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe base: 790000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Process created: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe "C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4094012987.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.4212050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41ce7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CTM REQUEST-ETD JAN 22, 2024_pdf.exe.41a21b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CTM REQUEST-ETD JAN 22, 2024_pdf.exe PID: 1892, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
CTM REQUEST-ETD JAN 22, 2024_pdf.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
CTM REQUEST-ETD JAN 22, 2024_pdf.exe	100%	Avira	TR/Dropper.MSIL.Gen8
CTM REQUEST-ETD JAN 22, 2024_pdf.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000294B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000294B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1665893884.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4094012987.000000000292F000.00000004.00000800.00020000.00000000.sdmp, CTM REQUEST-ETD JAN 22, 2024_pdf.exe, 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586744
Start date and time:	2025-01-09 15:23:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 146 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
checkip.dyndns.com	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
CLOUDFLARENETUS	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	104.21.72.124
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	172.67.174.91
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.96.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.342376182732888
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
MD5:	D62639C5676A8FA1A0C2215824B6553A
SHA1:	544B2C6E7A43CE06B68DF441CC237AB7A742B5CD
SHA-256:	761379FF547D28D053F7683499D25F7F1B5523CC7262A2DA64AF26448F7E2D76
SHA-512:	5B46D1BDB899D8FA5C7431CA7061CDD1F00BE14CD53B630FAB52E52DA20F4B2BED405F932D7C0E9D74D84129D5BB5DE9B32CC709DA3D6995423E2ED91E92ACD3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.783874283175346
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CTM REQUEST-ETD JAN 22, 2024_pdf.exe
File size:	219'648 bytes
MD5:	acf6e91e329de13142c402ee51cdaace
SHA1:	6835138954d1db2eaff916a45993f0ffff66509d
SHA256:	b16a07537092452ea8939b87bb8eaced5dad19fa44f93146e4ba8d8bd943dc83
SHA512:	c3846b2fd7e27082edfa03d39b8007f01a68ff2ffc8ff2539ac694169e9b153a31bb49a69234f63532e9e3c0a39a7df1f05f2900cc21abb228d8642d56e1089c
SSDEEP:	3072:OtF+mcO6kn2fIUCArkr0hywvmbYwqaFtrrT6Fs+dK0Snp:4wmcIUCArkr+yDfFxryvU0Sn
TLSH:	7024163F4A30DFF6CA04277BB491043F7D2845E96015B765EEEF62270AF265883A6271
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=m................0..:..........>Y... ...`....@.. ....................................@................................

File Icon


Icon Hash:	64581e034d0d9919

Static PE Info

General

Entrypoint:	0x43593e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF3E56D3D [Mon Aug 31 22:39:57 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x358f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x1b8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x38000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x33944	0x33a00	d54254105962c4e97b2b81432fac548c	False	0.7004010290556901	data	7.803458129985861	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x1b8c	0x1c00	6a80659c188bc5a5a7019b2b9c98d96a	False	0.8450055803571429	data	7.36894474154539	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x38000	0xc	0x200	c4e627cd7db279952c76c845d1f821e9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x36130	0x153e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9711290915777859
RT_GROUP_ICON	0x37670	0x14	data	0.9
RT_VERSION	0x37684	0x31c	data	0.42839195979899497
RT_MANIFEST	0x379a0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T15:23:58.536578+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:23:57.446465969 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:23:57.451508045 CET	80	49733	132.226.8.169	192.168.2.4
Jan 9, 2025 15:23:57.451598883 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:23:57.473404884 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:23:57.478373051 CET	80	49733	132.226.8.169	192.168.2.4
Jan 9, 2025 15:23:58.220177889 CET	80	49733	132.226.8.169	192.168.2.4
Jan 9, 2025 15:23:58.235760927 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:23:58.240817070 CET	80	49733	132.226.8.169	192.168.2.4
Jan 9, 2025 15:23:58.491754055 CET	80	49733	132.226.8.169	192.168.2.4
Jan 9, 2025 15:23:58.501245022 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:58.501308918 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:58.501491070 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:58.536577940 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:23:58.548131943 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:58.548192978 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.023152113 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.023360014 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:59.027156115 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:59.027185917 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.027548075 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.067739964 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:59.071506023 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:59.119329929 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.183530092 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.183571100 CET	443	49735	104.21.96.1	192.168.2.4
Jan 9, 2025 15:23:59.183662891 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:23:59.188189030 CET	49735	443	192.168.2.4	104.21.96.1
Jan 9, 2025 15:25:03.497612953 CET	80	49733	132.226.8.169	192.168.2.4
Jan 9, 2025 15:25:03.499032974 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:25:38.507414103 CET	49733	80	192.168.2.4	132.226.8.169
Jan 9, 2025 15:25:38.512257099 CET	80	49733	132.226.8.169	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:23:57.402242899 CET	54263	53	192.168.2.4	1.1.1.1
Jan 9, 2025 15:23:57.409893036 CET	53	54263	1.1.1.1	192.168.2.4
Jan 9, 2025 15:23:58.493427038 CET	64753	53	192.168.2.4	1.1.1.1
Jan 9, 2025 15:23:58.500684023 CET	53	64753	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 15:23:57.402242899 CET	192.168.2.4	1.1.1.1	0x5288	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.493427038 CET	192.168.2.4	1.1.1.1	0x1af1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:23:57.409893036 CET	1.1.1.1	192.168.2.4	0x5288	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 15:23:57.409893036 CET	1.1.1.1	192.168.2.4	0x5288	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:57.409893036 CET	1.1.1.1	192.168.2.4	0x5288	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:57.409893036 CET	1.1.1.1	192.168.2.4	0x5288	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:57.409893036 CET	1.1.1.1	192.168.2.4	0x5288	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:57.409893036 CET	1.1.1.1	192.168.2.4	0x5288	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:23:58.500684023 CET	1.1.1.1	192.168.2.4	0x1af1	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	132.226.8.169	80	1892	C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:23:57.473404884 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 15:23:58.220177889 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:23:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 15:23:58.235760927 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 15:23:58.491754055 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:23:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	104.21.96.1	443	1892	C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 14:23:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 14:23:59 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:23:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1747428 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tA%2B7IU3Zns3qZR7RBvSF25qehGhLnE2JDUJcsbgG1NJIgJUZbM5SZrUomWf1wsJmTit9%2FAj3DA59DytTMMnDeSIrGRsokdCRg6XwL%2FuoCYUXDYESoHABY9g3IjrJtSfzUoPmCR2q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff5169a8d6d4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1547&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1784841&cwnd=240&unsent_bytes=0&cid=d41f8d04befd6827&ts=175&x=0"
2025-01-09 14:23:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	09:23:54
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe"
Imagebase:	0xe10000
File size:	219'648 bytes
MD5 hash:	ACF6E91E329DE13142C402EE51CDAACE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1659822762.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:23:55
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CTM REQUEST-ETD JAN 22, 2024_pdf.exe"
Imagebase:	0x390000
File size:	219'648 bytes
MD5 hash:	ACF6E91E329DE13142C402EE51CDAACE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4092899809.0000000000792000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4094012987.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.9%
Total number of Nodes:	184
Total number of Limit Nodes:	12

Executed Functions

Function 072DEA68 Relevance: 27.6, Strings: 21, Instructions: 1318COMMON

Download Yara Rule

Strings

c^q, xrefs: 072DF3B6
C5U, xrefs: 072DF910
c^q, xrefs: 072DF3C8
$^q, xrefs: 072DF6A0
$fq, xrefs: 072DECD2
S5U, xrefs: 072DF967
$^q, xrefs: 072DF68E
$^q, xrefs: 072DF6AC
hfq, xrefs: 072DED4A
|b_q, xrefs: 072DEE4E
4c^q, xrefs: 072DED7D
4c^q, xrefs: 072DED87
|b_q, xrefs: 072DEE89
c^q, xrefs: 072DF3D2
hfq, xrefs: 072DED54
s3U, xrefs: 072DFA5F
c^q, xrefs: 072DEF35
,bq, xrefs: 072DFAF5
|b_q, xrefs: 072DEE93
hfq, xrefs: 072DED0F
,bq, xrefs: 072DFAE1

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: $fq$,bq$,bq$4c^q$4c^q$hfq$hfq$hfq$|b_q$|b_q$|b_q$$^q$$^q$$^q$C5U$S5U$c^q$c^q$c^q$c^q$s3U
API String ID: 0-542127156
Opcode ID: 048ae1916cfbe8f932c3e26a5d58865ece130bb0fa2c10f9538a1b3a4d606854
Instruction ID: eb569688d9301a091951385166f28dafc9a45a73eb52a1dceaa4d93ee09a0dae
Opcode Fuzzy Hash: 048ae1916cfbe8f932c3e26a5d58865ece130bb0fa2c10f9538a1b3a4d606854
Instruction Fuzzy Hash: F3C239B4B102168FCB14DF29C998A69BBF2BF88710F1584A9E41ADB365DB30DC85CF51

Function 07849C70 Relevance: 1.9, Strings: 1, Instructions: 650
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0784A4D4

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 47229dc79adb97baa7249953e74e0b1cb6b8b4e3bba30413474b15d106be1287
Instruction ID: fe69b22d73d6a5fbd53a5179d8248da7eeb3664ad7a866e133c9c35d44227e8b
Opcode Fuzzy Hash: 47229dc79adb97baa7249953e74e0b1cb6b8b4e3bba30413474b15d106be1287
Instruction Fuzzy Hash: F462C5B4E402288FDB64DF65C994BDDBBB2FB89300F1085E9D409AB291DB359E85CF41

Function 0782B4B2 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497be14c097d25a44110d798c9036861a7327652656baeba0ade8c53ae044890
Instruction ID: a70c0498478f967fc79c1fe624ced7ced32a628782653e98d6c0c2758fef0f78
Opcode Fuzzy Hash: 497be14c097d25a44110d798c9036861a7327652656baeba0ade8c53ae044890
Instruction Fuzzy Hash: DB427CB0A01255DFC715DFA8C588A6EBBF2BF99301F148469E406DB361DB35EC82CB90

Function 07822718 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fca6f4618285e1ca13663d046208cee06b17b2bdb7b8a6b283a92a116cb0fb
Instruction ID: e1a5790e39f12feafb89e1ebb3dd734f3442210a487714ce5a15e681dc4e67d0
Opcode Fuzzy Hash: 82fca6f4618285e1ca13663d046208cee06b17b2bdb7b8a6b283a92a116cb0fb
Instruction Fuzzy Hash: C242ACB0A00315DFCB28CF65D54866AB7F2BFA4316F15446DE442CB6A1DB39E8C2EB50

Function 07849C60 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774e8b4282470f79434f78560ab016c15735279b14f97baf7e6f98173fa32d63
Instruction ID: 95bc5cd1807b82971836799b4f1aae86870d96bc0819f4c02aec8c61a21901b6
Opcode Fuzzy Hash: 774e8b4282470f79434f78560ab016c15735279b14f97baf7e6f98173fa32d63
Instruction Fuzzy Hash: 0742D4B4E002298FDB64DF65C954BDDBBB2FB89300F1085EAD409AB290DB759E85CF41

Function 0782C1D0 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802c6e32e35168ad88d4e38ddd508b70a8dbb13f63439be98a01f7c4ae6083a
Instruction ID: ba0499b059a315e71ee66a62e5ef7f1485dba51b0e4a1c25dec938289b448014
Opcode Fuzzy Hash: e802c6e32e35168ad88d4e38ddd508b70a8dbb13f63439be98a01f7c4ae6083a
Instruction Fuzzy Hash: AA224AB0A00229DFDB15DF68D448AADBBB2FF49305F2080A9E409DB251DB35DD86CF61

Function 078284A8 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045292c7747d1c3239111ab1386d17be09e1d533972b8e182716da1900825431
Instruction ID: 9bf54f13effa9eac27f056d068cd64d612c5a19f57fea77706b4d2939dd952a1
Opcode Fuzzy Hash: 045292c7747d1c3239111ab1386d17be09e1d533972b8e182716da1900825431
Instruction Fuzzy Hash: 8BF18BB5A00715CFDB25CF69C584A6ABBF2BF58301F148569E84ACB761DB34E882DF40

Function 07826300 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b259ee60dfe2a280e95a10c326d8965d3fe64788d35dbba0f0123c036e741fd
Instruction ID: 662c4298eb3be1f18d76c29c7c550deca575a0501faa9c311b9762d10523a731
Opcode Fuzzy Hash: 2b259ee60dfe2a280e95a10c326d8965d3fe64788d35dbba0f0123c036e741fd
Instruction Fuzzy Hash: 4CF14BB0A00259DFCB08DFA8D558AADBBB2FF88301F148569D806AB755DB35DC86CB40

Function 0784C130 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f08845288af266d455d5867f1f08dced0efe1765e69690e7343a7df04d0ac64
Instruction ID: b033aee11102a8c0ad6e5e5010740d84fb0ce9fdb16b03b4046c7120b3c24f50
Opcode Fuzzy Hash: 9f08845288af266d455d5867f1f08dced0efe1765e69690e7343a7df04d0ac64
Instruction Fuzzy Hash: 5BD1BBB17026098FEB19DFB5C45476EBBFAAF89700F1084ADD146CB290DB75E805CB61

Function 078816E1 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667368509.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7453c29aaf28d751f72d0154753b3941a77e33cfa66e63c51ddc7d884e316a1a
Instruction ID: 7ca3dbf0fed3837272e14f775fc65d85353419fc1741e3b6a718fd0d73c8a986
Opcode Fuzzy Hash: 7453c29aaf28d751f72d0154753b3941a77e33cfa66e63c51ddc7d884e316a1a
Instruction Fuzzy Hash: 4AD14BB0E40209CFDB54EFA9C948BADBBF2BF54304F148558E405EF265EB749986CB41

Function 07848308 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8731a28cb8e0efdc462c2a7958a24c1ef8d47dfb342c2f3d07e6088b78c4746
Instruction ID: ee0b63e13aac14bf2e9d8c738eb395bf31f3fa77b5ccf6d96782b80ca99d4fd9
Opcode Fuzzy Hash: a8731a28cb8e0efdc462c2a7958a24c1ef8d47dfb342c2f3d07e6088b78c4746
Instruction Fuzzy Hash: A97181B4E00218DFDB54CFAAE5846ADBBF2FF89304F208469E819A7364D7359946CF50

Function 072D1A50 Relevance: 38.1, Strings: 28, Instructions: 3073
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X#^q, xrefs: 072D39B3
4c^q, xrefs: 072D2384
(Acq, xrefs: 072D3D27
|cq, xrefs: 072D3694
0"^q, xrefs: 072D3C04
pBcq, xrefs: 072D4B73
$#^q, xrefs: 072D3B98
cq, xrefs: 072D20DD
Pp^q, xrefs: 072D36F5
xbq, xrefs: 072D3369
x cq, xrefs: 072D4E7F
p<^q, xrefs: 072D207C
Hb_q, xrefs: 072D28E5
4'^q, xrefs: 072D1FBA
|b_q, xrefs: 072D2D8B
,bq, xrefs: 072D4A50
;^q, xrefs: 072D22C2
\;^q, xrefs: 072D4B12
,bq, xrefs: 072D3820
PH^q, xrefs: 072D343E
p`^q, xrefs: 072D275D
LR^q, xrefs: 072D3FE1
, ^q, xrefs: 072D410C
p ^q, xrefs: 072D3885
$^q, xrefs: 072D201B
c^q, xrefs: 072D1CA0
(o^q, xrefs: 072D4AB1
\s^q, xrefs: 072D3178

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: $#^q$(Acq$(o^q$, ^q$,bq$,bq$0"^q$4'^q$4c^q$Hb_q$LR^q$PH^q$Pp^q$X#^q$\;^q$\s^q$p ^q$p<^q$pBcq$p`^q$x cq$xbq$|b_q$|cq$cq$$^q$;^q$c^q
API String ID: 0-60724802
Opcode ID: f1018e828eca5a8dcb36541881d0e82d2dd93c9647b252af8189de790eab2f6a
Instruction ID: ea3f5da442e606538c61924009a0ec2c4a170e1013bda341d43a046b7faefa9f
Opcode Fuzzy Hash: f1018e828eca5a8dcb36541881d0e82d2dd93c9647b252af8189de790eab2f6a
Instruction Fuzzy Hash: 26537B70A80218EFDB259BA0DD05B9D7BB6FB49300F1054D8E6096B2E4CF76AE85DF11

Function 072DBC60 Relevance: 6.7, Strings: 5, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c#, xrefs: 072DBCEB
3g~k^, xrefs: 072DBDE1
Cg~k^, xrefs: 072DBD66
;, xrefs: 072DC09D
#g~k^, xrefs: 072DBE5C

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: #g~k^$3g~k^$;$Cg~k^$c#
API String ID: 0-4093251961
Opcode ID: 6e317476a14447ffc294d507c3b24f83aba70df8dea281ddf93228cf686ddb9f
Instruction ID: 364a9613d508e3bfe95a9c73410d2b1704c2df7987d2de66d1ea0594a05496b5
Opcode Fuzzy Hash: 6e317476a14447ffc294d507c3b24f83aba70df8dea281ddf93228cf686ddb9f
Instruction Fuzzy Hash: 3FF19DF4B606069FDB11DBADD96069EB7B2EF84300F208529E515DB394EB70EC85CB90

Function 0782E990 Relevance: 3.9, Strings: 3, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 0782EA0F
(bq, xrefs: 0782EA3B
(bq, xrefs: 0782E9E3

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 12778f5dcf9753089a2f610a9cc430c8726e4cbab9281551dbf79ef515ec9962
Instruction ID: 8dc70d9569d3874fa69c1046cddb90f821e069d2d1a7a84ad9b05abaf077e575
Opcode Fuzzy Hash: 12778f5dcf9753089a2f610a9cc430c8726e4cbab9281551dbf79ef515ec9962
Instruction Fuzzy Hash: 883126727042144FC354AF6AD440A5FBBE6EFD82A1324C62AE80ACB344DE30DC028B94

Function 0782EAF0 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 0782EBEB
(bq, xrefs: 0782EBBF

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 6860cdefb461b058840cc530ab4b05be43373734efeec8725a5d8cc5279101fe
Instruction ID: 13f42a42c922c9a331abe2894b544e874e355ab71b07ed6c62aa71211023d5e9
Opcode Fuzzy Hash: 6860cdefb461b058840cc530ab4b05be43373734efeec8725a5d8cc5279101fe
Instruction Fuzzy Hash: 1D41F571B402158BCB14DF6AD51966EBBF2EF88222F24866DD006EB790DF319C428B94

Function 072DBC27 Relevance: 2.6, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c#, xrefs: 072DBCEB
;, xrefs: 072DC09D

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: ;$c#
API String ID: 0-936537121
Opcode ID: 105af51429b197b5caf0eca8786c666af346182d676cd38057088e9b2aaf3c03
Instruction ID: 6d8efa803308bbcfe322c85fb86b4bc9b89af538b5e3952ee74971ad9622ea92
Opcode Fuzzy Hash: 105af51429b197b5caf0eca8786c666af346182d676cd38057088e9b2aaf3c03
Instruction Fuzzy Hash: CD412EB4A50206DFCB15DFA9D990A9EBBB2FF84310B108529E4559B364DB70EC85CF90

Function 078498DC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07849B1E

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4a3b0621a03c9b9903de9c2b7f5ae22d660872ca5c639c48cf8e2f107a91a081
Instruction ID: 14176b68a800d5611a829d7e149c0dbb547ad7a564abcb6b390126867cf2ce4a
Opcode Fuzzy Hash: 4a3b0621a03c9b9903de9c2b7f5ae22d660872ca5c639c48cf8e2f107a91a081
Instruction Fuzzy Hash: C6A15BB1D0022EDFDB20CF69C84579EBBB6BF44314F1481A9D849E7240DB74A985CF91

Function 078498E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07849B1E

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9fb695a57221e23889b8527b3b08960bef8d64c010bc32b7be3e8b86921022be
Instruction ID: fb80efcc4c32a7357274dad3722e30ee8246766dda385d8e3f0c32602af7b463
Opcode Fuzzy Hash: 9fb695a57221e23889b8527b3b08960bef8d64c010bc32b7be3e8b86921022be
Instruction Fuzzy Hash: D2915BB1D0022EDFDB20CFA9C84579EBBB6BF44314F1481A9D849E7240DBB4A985CF91

Function 055CB2BA Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 055CB51E

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f5019b4cff446cc374159a17204b27a25354c736b23f83e0a97de73329191555
Instruction ID: d72d365ed21ac1b2d551754e8e159bc698a72627f830f1000b98b2a1c37a413f
Opcode Fuzzy Hash: f5019b4cff446cc374159a17204b27a25354c736b23f83e0a97de73329191555
Instruction Fuzzy Hash: 9D812470A00B058FD724DFA9D18675ABBF2FF88310F108A6DD086D7A50DB35E845CB91

Function 0782D5E0 Relevance: 1.7, Strings: 1, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hb_q, xrefs: 0782D643

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: Hb_q
API String ID: 0-781627569
Opcode ID: 3b8130c445a83e5fbdbd796c104b1ac62ed443013b7eeddce86b64bae8039af2
Instruction ID: fa06b5f281a50103d3fcc74c47f19407e3b8b82002bddaa5a044dc9b6360c278
Opcode Fuzzy Hash: 3b8130c445a83e5fbdbd796c104b1ac62ed443013b7eeddce86b64bae8039af2
Instruction Fuzzy Hash: 3E024BB5A002199FCB05DFA8D48499EBBF2FF99310F158599E805DB361D730ED86CBA0

Function 072D5958 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

$^q, xrefs: 072D5BEC

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: d65ad0802d05ee37e407f39d6c993f3a072100a896e93cbb59c79f9c1b76e66c
Instruction ID: b41f866ea3ed7828098072e59a7e2ebcbe48f5f287968987a075d531025f568f
Opcode Fuzzy Hash: d65ad0802d05ee37e407f39d6c993f3a072100a896e93cbb59c79f9c1b76e66c
Instruction Fuzzy Hash: 87E162B4B102169FCB14DF69C5949AEBBF6FF88700B148169D806EB365DB71DC41CBA0

Function 0784A828 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3434d584ba206c1c2524907de0597c66898bfadbf9b9a82588b35703180431e6
Instruction ID: e4b5d35e282b63a8ed062ceca13c2ec315b0242e28fea4895cc68766de90ba6e
Opcode Fuzzy Hash: 3434d584ba206c1c2524907de0597c66898bfadbf9b9a82588b35703180431e6
Instruction Fuzzy Hash: FC51F2B16043889FCB15DF69D804B9EBFF5EF99310F15809AE048DB391CA749C45CBA1

Function 055C449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 055C59C9

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4cf7889841db4a53166516250a991f545498a642aeef26fa375d27fd307ba1a8
Instruction ID: 48768778ea8dfd8eaa8118e6df7b9c547bc6c5d1ff35069bc70bf45b721944fb
Opcode Fuzzy Hash: 4cf7889841db4a53166516250a991f545498a642aeef26fa375d27fd307ba1a8
Instruction Fuzzy Hash: A041D2B0C0061DCFDB24DFAAC88479EBBF5BF48314F6480AAD409AB255EB756945CF90

Function 055C590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 055C59C9

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 105d8eaf8b181d3b7ac36a633be535e8b608221cf7e20ca8ae4758f669c5c7de
Instruction ID: 3a0718915fd420a2758c1c0833cbe01f5763fe53342656aab6d14bf49161f536
Opcode Fuzzy Hash: 105d8eaf8b181d3b7ac36a633be535e8b608221cf7e20ca8ae4758f669c5c7de
Instruction Fuzzy Hash: 6F41E2B0C00619CFDB24DFAAC88478DBBF5BF48314F64809AD419AB255DB756945CF90

Function 07849659 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078496F0

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1d24bfa2cb3d25f3fc3e08b826d60a9d456bf34ed8386fd0ac537d8a38c75a8b
Instruction ID: f8382d0f19f629f3d0ca369191b605dde046d3cb3e00c6b1b98f5cd495b0f985
Opcode Fuzzy Hash: 1d24bfa2cb3d25f3fc3e08b826d60a9d456bf34ed8386fd0ac537d8a38c75a8b
Instruction Fuzzy Hash: 6D2148B190035D9FCB20DFA9D885BDEBBF5FF48310F10842AE959A7240C778A544CBA4

Function 07849660 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078496F0

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1dec278fac98769a184ababf572498d416198fed0f176e015e14aade64f742b8
Instruction ID: 6b625c3b56f248d806247f3cdb2886756ba44eda82a16d5eafec8beba43a7468
Opcode Fuzzy Hash: 1dec278fac98769a184ababf572498d416198fed0f176e015e14aade64f742b8
Instruction Fuzzy Hash: DA2105B190035D9FCB10DFAAC885BDEBBF5FF48310F10842AE959A7250D778A954CBA4

Function 07849748 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078497D0

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b459471a083fabadce52428442b93e861c154245591f6c0653ea329bd22cc8eb
Instruction ID: 462da2120e60b37d23127f348a9721e94c8015b741e0b8d8e447e43beb77fecb
Opcode Fuzzy Hash: b459471a083fabadce52428442b93e861c154245591f6c0653ea329bd22cc8eb
Instruction Fuzzy Hash: A92169B58003599FCB20CFAAC885ADEFBF4FF48320F10842AE559A7250C778A545CBA4

Function 078494C0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07849546

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 849152c27994eb8030e7ed1f9232c9bfd90e9a21038aedf0a1da98af52476776
Instruction ID: 39aa66529d52d8c39e0b6926747d73d1c6f6e8437b9a0c652cb66a7e0ddce985
Opcode Fuzzy Hash: 849152c27994eb8030e7ed1f9232c9bfd90e9a21038aedf0a1da98af52476776
Instruction Fuzzy Hash: 5A2159B19003198FCB20DFAAC4857EEBBF4EF48324F108429D559A7241C778A545CFA5

Function 055CD318 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055CD76E,?,?,?,?,?), ref: 055CD82F

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b033d9622fed38b5de6d604af2ae8b0f1df5b6a5fbcf5f43d82d3e77c2cbd7c
Instruction ID: b5d3e706c7e0faa452346c3f73b5a7613732470e206e09771196cfb5a5b3210a
Opcode Fuzzy Hash: 0b033d9622fed38b5de6d604af2ae8b0f1df5b6a5fbcf5f43d82d3e77c2cbd7c
Instruction Fuzzy Hash: 5021E3B5900258AFDB10CF9AD584AEEFFF4FB48320F14846AE959A7350D374A940CFA4

Function 055CD7A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055CD76E,?,?,?,?,?), ref: 055CD82F

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b2411b78579c995aa9356f012c0a026f46a3c66d99c68fcee78f53ee329c51bb
Instruction ID: 83adbac6c75ac609322ae87a060b8c40c6d92e75c134bf096f7a3b6d5fd5dbf3
Opcode Fuzzy Hash: b2411b78579c995aa9356f012c0a026f46a3c66d99c68fcee78f53ee329c51bb
Instruction Fuzzy Hash: 0721E3B59002589FDB10CFAAD984ADEBFF4FB48310F14846AE958A7350D374A940DFA4

Function 07849750 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078497D0

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fd711a3af7317fc5ac243d26647f41062f0eb7eda43fef54fce9dc73c85edede
Instruction ID: 5a03d1e57ef7614776465f24bfa94232d89c612055f04b988be0c688ea0bb710
Opcode Fuzzy Hash: fd711a3af7317fc5ac243d26647f41062f0eb7eda43fef54fce9dc73c85edede
Instruction Fuzzy Hash: 002128B180035D9FCB10DFAAC885ADEFBF5FF48310F508429E559A7250C778A545CBA4

Function 078494C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07849546

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 389133c0e122f4903656ca7dd01ea9be43d1c27891ecaf3f041b8efb646e3917
Instruction ID: 3af2c572190aff36a79938c8923008e375f2b1e7b53fcd4a7f035f04e1f7c301
Opcode Fuzzy Hash: 389133c0e122f4903656ca7dd01ea9be43d1c27891ecaf3f041b8efb646e3917
Instruction Fuzzy Hash: 812138B19003098FDB10DFAAC4857EEBBF4EF48324F508429D559A7241CB78A945CFA5

Function 07882098 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,07882080,0414410C,0318F558), ref: 07882111

Memory Dump Source

Source File: 00000000.00000002.1667368509.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 5ad35389fd4f037b743711f981829afec700340e454aef91c713a8ffd6e822da
Instruction ID: 495d5afb77361ef604e4869fae3baee8fb975f926467ffd6ea3e044f9ea7c646
Opcode Fuzzy Hash: 5ad35389fd4f037b743711f981829afec700340e454aef91c713a8ffd6e822da
Instruction Fuzzy Hash: 342149B59002198FDB14DF9AC844BEEFBF4FF88320F14842AD454A3250D778A945CFA5

Function 078812C4 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,07882080,0414410C,0318F558), ref: 07882111

Memory Dump Source

Source File: 00000000.00000002.1667368509.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: a57c630bf7320906dfb063d64100e31ad45835ab2e900515ede5463ace33d198
Instruction ID: 0ecdafda4e8c3fbd352057c928b5cc3a04ad67bb9940c78d7cacf1d94994a60d
Opcode Fuzzy Hash: a57c630bf7320906dfb063d64100e31ad45835ab2e900515ede5463ace33d198
Instruction Fuzzy Hash: 4D2135B59002198FDB10DF9AC844BEEFBF5FB88320F10842AD558E7250D778A945CFA5

Function 07849599 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0784960E

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e795ae6bf95c1475c7e9f1b60ce65314c6699679f881e95d141edcebff8ef67
Instruction ID: 3c953f602a33ff5d5e9cd6ee2f3e7cbdd0a0aea7f09d9d6543c7e63c3b2de0db
Opcode Fuzzy Hash: 1e795ae6bf95c1475c7e9f1b60ce65314c6699679f881e95d141edcebff8ef67
Instruction Fuzzy Hash: F4219AB280024D9BCB20DFAAC405ADFBFF1EF88320F14881AD529A7250C775A544CF90

Function 07849410 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0784947A

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ffe29a9e9c6a8f58a5aa20960e4bc73a8af9adc2d149c4bc330b9a2eaffe87ed
Instruction ID: 0e345d86e5f9492a53cb3dc28961f299dc7ab07c82a755044dbfd8dc05156125
Opcode Fuzzy Hash: ffe29a9e9c6a8f58a5aa20960e4bc73a8af9adc2d149c4bc330b9a2eaffe87ed
Instruction Fuzzy Hash: F6115BB29003488BCB20DFAAD4457DFFBF4EF88324F208819D559A7250CB75A545CBA5

Function 078495A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0784960E

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8fa264575442c0f2753404722ec014ccd199aa8126310310add9a257bd747c46
Instruction ID: 15c488517b8b5090dcb4f88a47397def3db96bb3ab52aa7798783ac2c87f435a
Opcode Fuzzy Hash: 8fa264575442c0f2753404722ec014ccd199aa8126310310add9a257bd747c46
Instruction Fuzzy Hash: 5A1126B29002599FCB20DFAAC845BDFBBF5EF88324F108819E559A7250C775A544CFA4

Function 07849418 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0784947A

Memory Dump Source

Source File: 00000000.00000002.1667301659.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7840000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b1d1629a435d4dad5aa696db8973ca6a00681e3cfa78a28a2388797d1c11dbab
Instruction ID: 90547b65e2112a887e0a9448089b291b75e9841db3d1b386ff75e365c29de948
Opcode Fuzzy Hash: b1d1629a435d4dad5aa696db8973ca6a00681e3cfa78a28a2388797d1c11dbab
Instruction Fuzzy Hash: 1E1125B19003598BCB20DFAAC4457DEFBF4AB88324F208829D559A7250CB75A944CBA4

Function 055CB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 055CB51E

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9be7e2cb7c9e8b3d78012c94ac58a02a10630fda843c02a5ddf73664e0682ac9
Instruction ID: b4cee0595533e2e8a4b6de453b93d6e7201c76aaf2c0a99720a854851b87402b
Opcode Fuzzy Hash: 9be7e2cb7c9e8b3d78012c94ac58a02a10630fda843c02a5ddf73664e0682ac9
Instruction Fuzzy Hash: 5F11E0B6C003498FCB10DF9AD445ADEFBF8BF88324F14846AD469A7210D375A545CFA5

Function 07881003 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0788105D

Memory Dump Source

Source File: 00000000.00000002.1667368509.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 943e1293593ac7b8926243499a8c0a4ad72dcd5336bfb81bb7b634bf516e3336
Instruction ID: 5e75ea03f1c0b960259a3a632c28cbe7ddf06ce77a64fd8153efa6fab7d0216c
Opcode Fuzzy Hash: 943e1293593ac7b8926243499a8c0a4ad72dcd5336bfb81bb7b634bf516e3336
Instruction Fuzzy Hash: B81115B59003588FCB20DF9AD449BDEBBF4EB48320F20841AD558A7710C775A585CFA5

Function 07881008 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0788105D

Memory Dump Source

Source File: 00000000.00000002.1667368509.0000000007880000.00000040.00000800.00020000.00000000.sdmp, Offset: 07880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7880000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ef42c5aaeb15a51fe8cbcf55ad9400444d82685fd7899b014ece05b0aba49872
Instruction ID: 0709957964fe84584883c325f1d170ae6d6738d467749bca9c85177a8894d457
Opcode Fuzzy Hash: ef42c5aaeb15a51fe8cbcf55ad9400444d82685fd7899b014ece05b0aba49872
Instruction Fuzzy Hash: B61112B18003588FCB20DF9AD448BCEBBF4EB48320F20841AD568A7210C779A584CFA5

Function 072DD1F8 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

,bq, xrefs: 072DD483

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 49e632a1e63d54a5ca389c1d5611f7da2228b5375a0be0e1702ed8f1989e3360
Instruction ID: d301f7f36573947e4123e0264ec861e254219e81afe8ae8be59aa12971d2409a
Opcode Fuzzy Hash: 49e632a1e63d54a5ca389c1d5611f7da2228b5375a0be0e1702ed8f1989e3360
Instruction Fuzzy Hash: 25A160B0B106069FCB14DFA5C55895EBBB2BF88300F24856AD81ADB365DB70EC46CB90

Function 07820040 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

CGT, xrefs: 078201AF

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: CGT
API String ID: 0-2327674560
Opcode ID: 30b1ac81dd1a90d1ccd281729dbe61a2d528114e057fed69d152001220979377
Instruction ID: 3f1c88a30e1e4ddc6f125bf3a34d4018c1278356ba87d227766b8309820975ec
Opcode Fuzzy Hash: 30b1ac81dd1a90d1ccd281729dbe61a2d528114e057fed69d152001220979377
Instruction Fuzzy Hash: D181D0B0B40214CFCB15DF79C554A6ABBF6EF88310B14846AD50ADB362DB31EC82CB90

Function 072D6050 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

,bq, xrefs: 072D6288

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 46bd7a72ea28bc7c8d2e600923edec32a3aca9f163851c76ef9ac5af49e21f0c
Instruction ID: 652241e1ddd046bfa53442f160e2ae2ba11d6c685276a8976db01fa9e8749452
Opcode Fuzzy Hash: 46bd7a72ea28bc7c8d2e600923edec32a3aca9f163851c76ef9ac5af49e21f0c
Instruction Fuzzy Hash: 8771A2707202018FC718DF79D458A29BBEAFF8A655B1540AAE506CB3B2DF71EC41CB51

Function 072DA9C0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

Hbq, xrefs: 072DAB09

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: e1bbb78aa38003cc22401d6a1581faee075ed80f381165d1712804784fd57d72
Instruction ID: 8dd5f0ef00a8a392035ed28e7bd6ea9d7c25814d855364cfa91cf52370580df9
Opcode Fuzzy Hash: e1bbb78aa38003cc22401d6a1581faee075ed80f381165d1712804784fd57d72
Instruction Fuzzy Hash: 9281B171B00245AFCB05DFA8D854AAEBBB7EF89310F14809AE505CB3A5DB30DD51CBA1

Function 072DCE38 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

$^q, xrefs: 072DCE84

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 39fcac21dfcaab9ece638c517efe48f3216b2f9da00ca8ead446765a4e63f17f
Instruction ID: d08daeb3a7edaa5aa111a3e8a5570a5e485100a4c31bb79fb828d588067c6978
Opcode Fuzzy Hash: 39fcac21dfcaab9ece638c517efe48f3216b2f9da00ca8ead446765a4e63f17f
Instruction Fuzzy Hash: 0E614BB1B50206CFCB14DF65D558AADB7B6FF88711F10846AE416EB260CB71DD82CBA0

Function 072D0448 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

d, xrefs: 072D0594

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9681f3b923f9698a92dfca06207235f15778f9ecf47a76328bfc2cade7609d3d
Instruction ID: 727b55ce67b2e9773a58ee0d731427fafa21514c69a3465196e2c205c127d6eb
Opcode Fuzzy Hash: 9681f3b923f9698a92dfca06207235f15778f9ecf47a76328bfc2cade7609d3d
Instruction Fuzzy Hash: AA615B74A0060ADFCB25CF59D5C48AAFBB6FF88310B50C56AD91997625DB30FC61CBA0

Function 0782B308 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 0782B472

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 974f6cfce99986f1f7be59a567455434d04f178e3838265a93eed5f2f67494e0
Instruction ID: 279f232caef505e9ffebc2ceba617a3ab7e5ab066e43483a17cd4ff0fba28d45
Opcode Fuzzy Hash: 974f6cfce99986f1f7be59a567455434d04f178e3838265a93eed5f2f67494e0
Instruction Fuzzy Hash: 4E516DF1A012299FCB15CFA9C884AAEBBF1FF58301F148069E805EB251E730DD95DB90

Function 0782DFB1 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0782E03C

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d0f65466dfc21050577f5438b8f5f56892e2c011742813993eaea803404e2a64
Instruction ID: 5dac2e26bcca6df1746d41626210c38f261b0336e6cdf737e41e3f65cff6aec1
Opcode Fuzzy Hash: d0f65466dfc21050577f5438b8f5f56892e2c011742813993eaea803404e2a64
Instruction Fuzzy Hash: EB519FB1A00205DFC705DF68D58489DBBF2FF89310B258AA9D409CB326D731ED8ACB91

Function 072DC2B0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072DC363

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: c22df540e8f655b6c847de4490c212953543750c95ea15f3f471ecf145b37340
Instruction ID: e2d13dc4969befb76ea332094aca8a514f5252871800b3412e0b315e15879677
Opcode Fuzzy Hash: c22df540e8f655b6c847de4490c212953543750c95ea15f3f471ecf145b37340
Instruction Fuzzy Hash: 7A3159B161020ADFC714DF69D488AAA77F6FF4A350F2444A9E806DB361DB71ED81CB60

Function 0782B2FA Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

@, xrefs: 0782B33A

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3462c20528098af6fcaca5902436317eea300e6ce7ddf4843fa886fd28aaef58
Instruction ID: 0ed05edcfb67ffd00074af356829b96b382e12ee5961ca0730b5faee9bfaaed2
Opcode Fuzzy Hash: 3462c20528098af6fcaca5902436317eea300e6ce7ddf4843fa886fd28aaef58
Instruction Fuzzy Hash: 7F21D3B2A01269AFCB11CFA8D8849FEBFB5FF49311F048066E914D7211E734DA55DB90

Function 072D58BF Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072D592D

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 78468942ec40ff4882e90f26decb61c9b1ec4937438f77cca056581a29000d2a
Instruction ID: 931120aab16397c8e0972fccc09e3fc72eea5e6c4af45b83d51a2387592cbf73
Opcode Fuzzy Hash: 78468942ec40ff4882e90f26decb61c9b1ec4937438f77cca056581a29000d2a
Instruction Fuzzy Hash: FF01D6313412019FC709EB69E5545AE7BE6EFC6250310896DD055CB755EF30EC8B87A2

Function 072D58D0 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072D592D

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: bf1e7953a9e6e8babef5462b35aae17081b7961a041d8115c540332cce0d84d1
Instruction ID: 5c1c1d1384a53b8855e0d61bbb85e1dd5d3b5fe5a13957197ebf24ec93d3c362
Opcode Fuzzy Hash: bf1e7953a9e6e8babef5462b35aae17081b7961a041d8115c540332cce0d84d1
Instruction Fuzzy Hash: C5F0B4317406056FC208EB69E55496E77D7EFC92503109A2CD05ACB715EF30EC4B87A2

Function 07830048 Relevance: 1.1, Instructions: 1113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667286265.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b8015006e7f0189556942006c839e8ff614e3668fbccb7b60c133f305ebef6
Instruction ID: 470af0651e6e3a2cfda0d8d07bdf653becfcb36ecfb9517a1243bab0b36910aa
Opcode Fuzzy Hash: 28b8015006e7f0189556942006c839e8ff614e3668fbccb7b60c133f305ebef6
Instruction Fuzzy Hash: 1031F47130434A8FDB158E2DD855B6ABBA7AFD5311F24846AE604CF291EB32C845C7A0

Function 07829F80 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b1c114d80ffd37f3c1885636eea5ff57274b73b803d2e89403bbc5772322a7
Instruction ID: 0196e3fe81418ac00765d94bfc8b04a83889e11b14f7532605608753ea602e4e
Opcode Fuzzy Hash: e6b1c114d80ffd37f3c1885636eea5ff57274b73b803d2e89403bbc5772322a7
Instruction Fuzzy Hash: B24236B5600605DFC725CF68D588A6ABBF2FF58301B15C569D84ACB662DB30EC86CF81

Function 0782A6C0 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232f9bbdf7f268164aeb923e5a49eaa5ad149a45b3aed98cc5d9ac188acae2d5
Instruction ID: 5a4338396541618eb87ddedca2c990acff1cf68a395d59393ee44853498a1911
Opcode Fuzzy Hash: 232f9bbdf7f268164aeb923e5a49eaa5ad149a45b3aed98cc5d9ac188acae2d5
Instruction Fuzzy Hash: 700201B1A042559FDB15CF69D540AAEBBF2FF84310F14C0AAD945DB252C731EC86CBA2

Function 072D6327 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4fb1eecb581b922033ec2d1b8e16f48b3f41356b910d1e82f838b773eeefb8
Instruction ID: f9b8b0a85c56b355e88205a14d18eedac2b1976f76e06ff2c3df0a6c74b93dca
Opcode Fuzzy Hash: 4b4fb1eecb581b922033ec2d1b8e16f48b3f41356b910d1e82f838b773eeefb8
Instruction Fuzzy Hash: 0F0235B47106428FCB14DF79C588A6ABBF2FF89340B1584A9E506CB3A6DB34EC45CB50

Function 072DD687 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1417cc8e7eac4754ed05ddc01dcbc82646127018cf48990303bb0934d79e2d8
Instruction ID: 911973326aa0cf472c662681276a96a804c089e8cb43024dba5bbd32981ce3c2
Opcode Fuzzy Hash: b1417cc8e7eac4754ed05ddc01dcbc82646127018cf48990303bb0934d79e2d8
Instruction Fuzzy Hash: C2F15D757106018FCB15DF29C489AAEBBF2FF85210F1884AAE546CB362CB35ED45CB51

Function 0782AD20 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f802366260217a4ed261b97f72e123e06fc7814afcc613f9ae89e77d654f976f
Instruction ID: e19f36a51585926e2c35883f1646078e85540d3c2bdb9f7304691558560163af
Opcode Fuzzy Hash: f802366260217a4ed261b97f72e123e06fc7814afcc613f9ae89e77d654f976f
Instruction Fuzzy Hash: 26F15AB4A00245DFC705DFA8C5849AABBF2FF98311B19C599E409DB766D730EC86CB90

Function 072DC9A0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e45a7e23c7ce6c877e048c9bf8c47dd2bcb12854437b3f6a7108da340eacf5
Instruction ID: 02ec96bfb3fe45d47a888568e7cab986dee3e2bc3a0b9bc5ec0d73d491bff3fa
Opcode Fuzzy Hash: c4e45a7e23c7ce6c877e048c9bf8c47dd2bcb12854437b3f6a7108da340eacf5
Instruction Fuzzy Hash: 27C1B2B5B21223DFCB148F64D554729BBB2BF84B10F158568D9068F385DB75DC82CBA0

Function 07820E40 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0068bfabdd5ace6afd3d65f90141d7c0d5601e43caacd127271d2bcc9b0e7806
Instruction ID: 7a1a5545b29a5ecb13c880dc3c4d58cf45d8779175ca21a50ccdf174674aef14
Opcode Fuzzy Hash: 0068bfabdd5ace6afd3d65f90141d7c0d5601e43caacd127271d2bcc9b0e7806
Instruction Fuzzy Hash: 73D1A0B0A003459FC715DF68C584A5ABBF2FF89310B2585A9D449CF362DB30ED86CB90

Function 07821548 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9c20c467d8dcdcfdbfe0b5e38e2d7ad9094fa9c7c2b558445d97300a54e815
Instruction ID: 916e5cb421296127a9074f6938465f67261f601595f1b584183fe7cbdcab5462
Opcode Fuzzy Hash: af9c20c467d8dcdcfdbfe0b5e38e2d7ad9094fa9c7c2b558445d97300a54e815
Instruction Fuzzy Hash: 5AB1B3B0B0025A9FD721CF78D58866AB7E2BF58302F24492AE447C7750DB34E982DB52

Function 07826C16 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d8a0c64673e4d3a0c59ed71cb07bf68f64a6a1ee16a23a6453d8b199daf7b6
Instruction ID: e1f42c8bc424b13d2a4a407a0884d979d33588df63ef3fdd5313dcc815a0b688
Opcode Fuzzy Hash: 80d8a0c64673e4d3a0c59ed71cb07bf68f64a6a1ee16a23a6453d8b199daf7b6
Instruction Fuzzy Hash: FAB1C2B1704241AFD716CF28D048A26BBE3FF95311B55C0AAE449CBB66DB31EC86CB51

Function 072D5C78 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70658959211b3d0ffca8c9150409a98408485655708351d3f1f78cec42fc3691
Instruction ID: 3124580eb21f4a71801ad301f6fd5151f43ef6526a453538f17adf77f3ee6a37
Opcode Fuzzy Hash: 70658959211b3d0ffca8c9150409a98408485655708351d3f1f78cec42fc3691
Instruction Fuzzy Hash: 21A15974B102059FC715DF79C494AAEBBF6BF89310B1584A9E806EB361DB71EC42CB90

Function 07823458 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91eadb19968bee980903a5369ea2a21a426c713f48f1bdc184b93067e2e0587
Instruction ID: 99c308cdc35eacb773c4892c0a8d6c4d26c2feb2e4d8bad4f860359a3a6c2e67
Opcode Fuzzy Hash: f91eadb19968bee980903a5369ea2a21a426c713f48f1bdc184b93067e2e0587
Instruction Fuzzy Hash: 5881C6F0B1113AEBCF250E54896473ABEA6ABA4B56F044519EC46CA744DB38CCC3A7D0

Function 072DAB58 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706654db77e118cd09b584d102d5c70f12ddc7453dbd6702d3f58900ac311eb0
Instruction ID: 9278314bab866c3cce8b0d56ea32a3374ac33c238eadc7a1bf8fad9433045f71
Opcode Fuzzy Hash: 706654db77e118cd09b584d102d5c70f12ddc7453dbd6702d3f58900ac311eb0
Instruction Fuzzy Hash: F581D5F1F35237CFCB258A688400A2AB6F5AF95A21F19C95ACC42DB354D6B0CC81C7D1

Function 072D6B00 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7839cea175f4fc75e86896a5b508cfcc0e236b4383097220dd1953d3d8310ea5
Instruction ID: 1e88ab34db1b3c8753d40b0f9cd1ccea6a1ff1a144b3e701fb54ed7ed5582c38
Opcode Fuzzy Hash: 7839cea175f4fc75e86896a5b508cfcc0e236b4383097220dd1953d3d8310ea5
Instruction Fuzzy Hash: A4818EB5B102168FCB01DF68D4988AEBBF5FF89350B1580AAE915EB361D730ED41CB90

Function 072D0DE0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0902c8ec89bd3aff946d6ec107fdaeb513781e4b4b32d6fc11d4c391afaa8c3
Instruction ID: 9d7fd3d81aa74c1e04f9cda49af534214fc82afebfca7db0ab3b92485d20f4d6
Opcode Fuzzy Hash: d0902c8ec89bd3aff946d6ec107fdaeb513781e4b4b32d6fc11d4c391afaa8c3
Instruction Fuzzy Hash: 6F7118F1A60154DFC700ABA4E60A45C7BA2FF81350F15C6AED802AB715DE71AD588B92

Function 078223B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc88ca55e8a79b1824f7ad953f34745935fc6531282cc20112b2f347bed22d2
Instruction ID: 5e816a96e7a72fbe08d0c2fead91f24fc38c11aa7b84d680887a8605b833f438
Opcode Fuzzy Hash: bcc88ca55e8a79b1824f7ad953f34745935fc6531282cc20112b2f347bed22d2
Instruction Fuzzy Hash: E5818DB06003169FCB25DF28D644A6ABBF2FF94305F11C52AE806C7365DB74E986DB90

Function 078205F0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d460220a9d386e6f88e3bb4fa9e8cd5d9f085deac2da8c9309524598b79105b
Instruction ID: d2d378d367e63a0d77c89cfb49a48ae2216155bfa278380af1a1ad258cea4464
Opcode Fuzzy Hash: 0d460220a9d386e6f88e3bb4fa9e8cd5d9f085deac2da8c9309524598b79105b
Instruction Fuzzy Hash: 89617FB5B40215DFCB049FA5D8586BEBBF6FB88301F548429E80ADB351DF748C528BA1

Function 0782C417 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c3d906173476745bf7633a85e1ed72ce1154dbc1b30c4e27bb785d1b6848f2
Instruction ID: cf4223abadd5febd018d339f14cb144b490f1ce41fabbd363b7cf5db71b6201a
Opcode Fuzzy Hash: f3c3d906173476745bf7633a85e1ed72ce1154dbc1b30c4e27bb785d1b6848f2
Instruction Fuzzy Hash: A6715AB1601255DFCB15DF24D549A6ABBB2FF89301F1484A9E406CB361CB35EC82CFA1

Function 072DD1EA Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb8b389dc9e703a15a10898c4a1da64f65817725f694740e9e81f7317298fa9
Instruction ID: 67044ebe7834a8c2c2a317c1b823f082fedf5f9485b26ddd0ce8e22ada41025f
Opcode Fuzzy Hash: efb8b389dc9e703a15a10898c4a1da64f65817725f694740e9e81f7317298fa9
Instruction Fuzzy Hash: 387150B0B106069FCB14DFA9C55499EBBF2FF88300B148569D41AAB365DB70ED46CF90

Function 072D794E Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35592222d693d35d92952b2839054ced46f1d90718f3cbd744b1eff159036a6b
Instruction ID: 20b7239141929e83b4fce5a1d96cf7efab29a6a302e669507717add6fb6e4b7e
Opcode Fuzzy Hash: 35592222d693d35d92952b2839054ced46f1d90718f3cbd744b1eff159036a6b
Instruction Fuzzy Hash: 716192B6B102068FCB10DF6DD48499ABBF6FF88320B1585AAE505DB322D734ED45CB90

Function 078205E1 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe730a12845e7528e2699d9b96b104f6e5cebfac22f5cddcd8e48429cfa2667
Instruction ID: 225b8c0aadb0550a7f146bbb3a19b44bac9378b69bf4f4355cbb8277f8d547d2
Opcode Fuzzy Hash: afe730a12845e7528e2699d9b96b104f6e5cebfac22f5cddcd8e48429cfa2667
Instruction Fuzzy Hash: 1F516EB4B40215DFDB049FA5D8586BEBBB6EB88301F548429E806DB351DF748C918BA1

Function 078221C0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40eb1d86f8fb97976842bdd49a4c673fdb66afb96cd2c0f67b421f419b91db12
Instruction ID: 86123b4ef9dc5fe7f74e01de91a5baaebd79be81692e4accd34c63b880d81170
Opcode Fuzzy Hash: 40eb1d86f8fb97976842bdd49a4c673fdb66afb96cd2c0f67b421f419b91db12
Instruction Fuzzy Hash: 4861D4B4A002199FDB54CFA9D480A9EBBF6FF88310F11402AE919EB314D735DD52CBA0

Function 07821090 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cb5728f5f83d294b22c9eb0fa0f14edf8370e9dd44d0245cde96f010714123
Instruction ID: b2621fc4372b605f9f23d9e903d46afb66215dcbf2a34d428ee9f7b031b3c016
Opcode Fuzzy Hash: c2cb5728f5f83d294b22c9eb0fa0f14edf8370e9dd44d0245cde96f010714123
Instruction Fuzzy Hash: DA716CB0A003469FCB05DF68D584A99BBF2FF49304B20C5A9D419CB762D770ED86CB90

Function 0782239F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef6cc3c4123105c20f0c23aa4e718a34616701d74430a08bd76c26486098c27
Instruction ID: fcf5ef006431874f604affdd5a8dee66ee3dccd1eef838a4c08f5a7482d0d072
Opcode Fuzzy Hash: fef6cc3c4123105c20f0c23aa4e718a34616701d74430a08bd76c26486098c27
Instruction Fuzzy Hash: AF61B0B06013169FCB21CF28D644A6ABBF2FF94311F05C52AE806C7365D734E98ACB91

Function 078278D0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6398f8e37f572b0777f28784fb43de0fe15d0fc2bfae2ab5edb07ffee37a2ad8
Instruction ID: 2824c1b14169037cd3fa6abba34afa73936595dfd81715c224a588d1a57d9ef5
Opcode Fuzzy Hash: 6398f8e37f572b0777f28784fb43de0fe15d0fc2bfae2ab5edb07ffee37a2ad8
Instruction Fuzzy Hash: 2B519E76B00209AFDB01DFA9D844AEEFBF5FF88320F14816AE905D7201D735A955CBA0

Function 07826990 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eca083124d076a2d5e72a1347d1d5d6f947e3585eb89e3cd3539779b4df8c88
Instruction ID: 6cf8bafa1ca66dbdbba22c5b1ebe0228897f4f4a5349749a4ba2eedc0bc6e12f
Opcode Fuzzy Hash: 4eca083124d076a2d5e72a1347d1d5d6f947e3585eb89e3cd3539779b4df8c88
Instruction Fuzzy Hash: 3241D2F0314263DFCB210E76840472BB7E6BFA5312F54892AD447C2A80FB25D8C3A752

Function 072DE4C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fbb74ef50cc796db6f83acf7da8548940ae16fdbe2a31ee5c6bce9fcab761c
Instruction ID: e724fbbc4e095071637be9403e7278710cfa287acfd1fd0094c7b0e19c3935de
Opcode Fuzzy Hash: 27fbb74ef50cc796db6f83acf7da8548940ae16fdbe2a31ee5c6bce9fcab761c
Instruction Fuzzy Hash: 8441F275B102078FCB11DB79D98496EBBA6FFC5250B1A84AAD905CF251EB30EC41CB62

Function 072DE6E1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef72427b52f5c1a3aac64bcc527b71ff889ff84f7d631727e4d098b368fab1e
Instruction ID: be27d3c9316313a48faf8423098f86df33b2fc81482cae92a2a71d9ad0a51bfa
Opcode Fuzzy Hash: aef72427b52f5c1a3aac64bcc527b71ff889ff84f7d631727e4d098b368fab1e
Instruction Fuzzy Hash: D641BDB1A053029FC714DF78D8848AABBF6FF89354B218969E805CB351E731EC45CB90

Function 072DA26C Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9713908beaaf60bba7770ad67532bd9c058456b745ba734d51d1caa6df96a3fc
Instruction ID: 68c956ae0af4ff25d7cd66d72091bbad39db7e17dbe78373e85d708e4dc3604a
Opcode Fuzzy Hash: 9713908beaaf60bba7770ad67532bd9c058456b745ba734d51d1caa6df96a3fc
Instruction Fuzzy Hash: 79414F75B00214DFCB14EBA4D998AAEB7F3BF88210F248069D816AB354DF31DD02CB51

Function 072DC95A Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238f75659f2a6bd5da249cc4c6f06c6ad62c8ad6226b56659c679c217433c983
Instruction ID: 5460382d1e32d4c643005ef0ba1f29776d830c675e310daa4fe2d02eb47410af
Opcode Fuzzy Hash: 238f75659f2a6bd5da249cc4c6f06c6ad62c8ad6226b56659c679c217433c983
Instruction Fuzzy Hash: 67310EB1B41246DFCB059F74D85862EBBB6EF89711B104869E906DB385DB71CC81CBA0

Function 072D6F79 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451773c9f5ae5baff4dec1134b1ce433a895d43133432f9988e314dbdc1a5dae
Instruction ID: 6ef0fc356a0c42d0bfe50f5e8d5c0109cbd199f3db4671357e0d41c8557fc184
Opcode Fuzzy Hash: 451773c9f5ae5baff4dec1134b1ce433a895d43133432f9988e314dbdc1a5dae
Instruction Fuzzy Hash: CF418E75700251AFCB15DF78D888AAEBBB2FF89300B108069E806CB3A5DB35DD05CB90

Function 07822610 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41740e5a8f3b73574c671c05163e4e86ed0f23b56e24c29c91f41f9570a9bed5
Instruction ID: 84048b62001f687e8d32bfbfee35cd54c3f2461e63126e39c494abf71856e887
Opcode Fuzzy Hash: 41740e5a8f3b73574c671c05163e4e86ed0f23b56e24c29c91f41f9570a9bed5
Instruction Fuzzy Hash: 762135B36083A65FD712CA78E8006EAFBE4FF96235F0982B7E144CB191C635A446D794

Function 072D6F88 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb2fc994e462fce0a66d1e298290e4e6d1850c4a763dc8631390eb595ab15c3
Instruction ID: 9af36d508258a414360f43ce81f4d86a45b15e096c6ed11038142a25bd0cc26b
Opcode Fuzzy Hash: 7bb2fc994e462fce0a66d1e298290e4e6d1850c4a763dc8631390eb595ab15c3
Instruction Fuzzy Hash: A5318E75710211AFCB15DF78D888A6EBBB2FF89350B108069E906CB3A5DB75ED05CB90

Function 07830000 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667286265.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3a181a3fd5ee500d9a447047a22e6dc02fc92a5268f26ca09dc8d6f1e73ca3
Instruction ID: a1e8a06ae19be3be62821cf9286fbee13886930f6badf6b4247a4692db7169ac
Opcode Fuzzy Hash: 2c3a181a3fd5ee500d9a447047a22e6dc02fc92a5268f26ca09dc8d6f1e73ca3
Instruction Fuzzy Hash: 40319FB010D3869FD7228F288C65BA67FB6AF56214F1A40D7D540CF1A3E3758C48C7A1

Function 07824298 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3eb240cf54e27336b91708855436ead9d34e5da159d3f6d8347a0424987ce2
Instruction ID: 637c7b4a6ce736941d5244abd7ccff8142992ddad6e9c8406a6f9763b17211c6
Opcode Fuzzy Hash: 1c3eb240cf54e27336b91708855436ead9d34e5da159d3f6d8347a0424987ce2
Instruction Fuzzy Hash: 3431C6719042AA8FCB02DFB9C8449EEBFF4EF49211F1445ABD414E7212E3309A42CBA1

Function 0782F228 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4ca881c43f4c834e1c92b411808a8ab5372f2d9b02cf984451a75bb666c5c6
Instruction ID: 147f809fec085a0c8614e0f5c8b2b70f6250b29a26931d606db0d38ecc180571
Opcode Fuzzy Hash: ad4ca881c43f4c834e1c92b411808a8ab5372f2d9b02cf984451a75bb666c5c6
Instruction Fuzzy Hash: 43310570F042688FCB099BB8D41406E7FF2EF8A310B1044AAD606CB3A2DE359C06C791

Function 072DE5F8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9218de15f35e11c29f52d88d9c41e8d499e4b38c8b783f988c5cfd6505ba8919
Instruction ID: 2f24e0366bc718154136323f71e4ddeb4c6a678d66540b8f85d92935df82e53c
Opcode Fuzzy Hash: 9218de15f35e11c29f52d88d9c41e8d499e4b38c8b783f988c5cfd6505ba8919
Instruction Fuzzy Hash: C731ABB17201129FC704EF7AC598D6A7BEAEF8965071640ADE906CF371DA70DC41CBA1

Function 078244A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d0fb5fb77dbebee9849c22677b393fe528184507eaee11ed266374457ab2a2
Instruction ID: 29163d04307e383921299d32f7158931108469b18672f411ebbe4937d8b6fb64
Opcode Fuzzy Hash: d4d0fb5fb77dbebee9849c22677b393fe528184507eaee11ed266374457ab2a2
Instruction Fuzzy Hash: BF212C727052A19FC7161F35B458199BBA5EFD122671400BBE449C7291CF75CCC7C7A1

Function 07828018 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5673df9b58c0ab61a0503a0754bf558fc486f80e3961215ec7bfd25fa3fc4731
Instruction ID: bc3dcb1177be9da97d1770fc1439076ef540edb13b0a41c0a6fbf71d4b5e7946
Opcode Fuzzy Hash: 5673df9b58c0ab61a0503a0754bf558fc486f80e3961215ec7bfd25fa3fc4731
Instruction Fuzzy Hash: 7D2180717001159FCB049F69E85967E7BE6FF98301F10842CED06D7381DA759D11DBA1

Function 072DEA58 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec647091c76c56903595470d7e9178fa2900a9077d85e8ab1d3838851fac31
Instruction ID: 1a42ebfaa9f11183ff553b499a2d8d688b51eb18a4e25138f88a8fc83b4e9ba9
Opcode Fuzzy Hash: e0ec647091c76c56903595470d7e9178fa2900a9077d85e8ab1d3838851fac31
Instruction Fuzzy Hash: 6A217FB1A11617CFCB11CF28C984A6ABBB4FF45315F1684A9D8069F2A5D730EC41CB61

Function 072D7D08 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77e66391820f19f28fd0db92470151fca895b31452dac9a3092fbe9240c368c
Instruction ID: dbc9bb94e8cbe3e5d65ef161b61c0a5792c100fe2cde1ed3ea0610b20bf20eca
Opcode Fuzzy Hash: d77e66391820f19f28fd0db92470151fca895b31452dac9a3092fbe9240c368c
Instruction Fuzzy Hash: 02218E71B00106CFCB05EF78D5948AEBBF6EF8921072440AAD505DB351DB35DD12CB92

Function 0782AB29 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f1135bbff2c2c8a74790e1f279cd11b6945675c94bfeec1d7252161bc68837
Instruction ID: addc0f38753613b88ece11cbf871a356a0d8dbbe3f409259abf92f024a15130e
Opcode Fuzzy Hash: b6f1135bbff2c2c8a74790e1f279cd11b6945675c94bfeec1d7252161bc68837
Instruction Fuzzy Hash: F221F5B16003169FCB29DF68E444B6ABBB2FF51321F048A6DD505CB651D734E88ACB93

Function 078212BA Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c592ec96fce77db46f863b99e00e2093feefaba507468e4d01fd39051da756e
Instruction ID: 3b88baab6975f3a7d366df9b0c09647ea08b82dd671a90c5039a8c389856b012
Opcode Fuzzy Hash: 7c592ec96fce77db46f863b99e00e2093feefaba507468e4d01fd39051da756e
Instruction Fuzzy Hash: 7B21C171201340AFC3169F24D459E5ABFB6EF85320B2580AAE485CB362CB75ED85CB50

Function 02EDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658364188.0000000002EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2edd000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434247544a238bcf8e12a236690f7240a0ba91905e4ed8dd671bf2fec03932bb
Instruction ID: dfd94ae3bbadd75421e4f6dbb59e5155ee0333d6bb880dc4a13cc364154fb19c
Opcode Fuzzy Hash: 434247544a238bcf8e12a236690f7240a0ba91905e4ed8dd671bf2fec03932bb
Instruction Fuzzy Hash: 1D21F272684200DFDB14DF24D984B26BBA6EBC8318F64C569D80A4B296C33AD847CA61

Function 078262F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebf5a7288c5dc95c103830574fe39b3fec71697a147f9ea71236072e1992f1e
Instruction ID: f4e6536426fd5c1ab348f9ee9a7592e6591e5ca622c9e7b62e92134a26a756e7
Opcode Fuzzy Hash: 5ebf5a7288c5dc95c103830574fe39b3fec71697a147f9ea71236072e1992f1e
Instruction Fuzzy Hash: 8F219F71B04298AFDF11CFD4C884AAEBBB5EF58310F14846AE941EF255DA31D896CB81

Function 072DDB59 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae932c519efd630c0e0414b92bcc1df3000466fa19adac54054b29a0111a01fe
Instruction ID: a8afc58a779b83766a88fc4fcad40eb3eaab679cdfe3f52eb7959455ec4da025
Opcode Fuzzy Hash: ae932c519efd630c0e0414b92bcc1df3000466fa19adac54054b29a0111a01fe
Instruction Fuzzy Hash: 251106F2B006256FC325DA789840B6BB7D5DFC8660F11452AFA05CB391EE70DC0187D0

Function 07829F7E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f0d9d83fedcaa7119a68533ab480217471fa8d0e51ca25ba9e79a4a13ae63b
Instruction ID: 6db76ad9b799a4b654825fae5cf985499aae887184bf857241bf2f9cddeb6468
Opcode Fuzzy Hash: 96f0d9d83fedcaa7119a68533ab480217471fa8d0e51ca25ba9e79a4a13ae63b
Instruction Fuzzy Hash: 30215B71700610DFC729CF2AD94895ABBF6FF88311B45C56AE846CB261DB34EC46CB41

Function 07824648 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93502e3eb046a6ef716669766aebfc33fbb0f54eb02beb8dd1906d13370971cb
Instruction ID: abc7b02f9e466c7dc04f62efa28c79181a5a292d844379e29576384752f6f78d
Opcode Fuzzy Hash: 93502e3eb046a6ef716669766aebfc33fbb0f54eb02beb8dd1906d13370971cb
Instruction Fuzzy Hash: 3111E1F17003919FE7268F6AE484A13BBA6EF91215B14856AD54EC7212C731EC8AC760

Function 072DB038 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976223a0f89a8ac8894e1c15351ea55f913edf29709d9cb116d93cdd6a2b593a
Instruction ID: 6fa09324e0eb3258159bc1f3f23b98aa27e5ca9fc521be2dd6dbe40caf1f94e1
Opcode Fuzzy Hash: 976223a0f89a8ac8894e1c15351ea55f913edf29709d9cb116d93cdd6a2b593a
Instruction Fuzzy Hash: 2011BEB0B202069FC716CF78D894A6ABBB2FF88311F11455AD542DB395DB31EC05CBA1

Function 072D7BA8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc9f090d700f1a68cb74f3bd7fad84c1cd25fd79f6e42bf2777f44e36f57eb1
Instruction ID: 21f19d76cd311d675a24c000e4a22d081d1e3f86e0dffa80ebd47b725db2c9b4
Opcode Fuzzy Hash: 1cc9f090d700f1a68cb74f3bd7fad84c1cd25fd79f6e42bf2777f44e36f57eb1
Instruction Fuzzy Hash: 451160B1F90209CFCF149BA5D4586EEBBB6EB8C320F544429E506FB340CE745C558BA0

Function 02EDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658364188.0000000002EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2edd000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b67fe1c08b3260a5344a596bae627c3af40be86ccfb4a3161978cbeca6c2e32
Instruction ID: ed95641841b7d7bc7c9521a7cb3944e6ae38297f2c54217fa6cde6eda36021a7
Opcode Fuzzy Hash: 5b67fe1c08b3260a5344a596bae627c3af40be86ccfb4a3161978cbeca6c2e32
Instruction Fuzzy Hash: 0221A7755493C08FD712CF24D994715BF71EB46218F28C5DAD8498F6A7C33A940BCB62

Function 07824700 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e39d6c40711e85f7563bea2f556bbaf4c75cd3ef942103452da16d419162a48
Instruction ID: 15e1bdc16887240c231bc5a7a90eba4260222cb704a0dc03501b478cd368cdf7
Opcode Fuzzy Hash: 6e39d6c40711e85f7563bea2f556bbaf4c75cd3ef942103452da16d419162a48
Instruction Fuzzy Hash: 9C0126F13141AAAFE3142D6E68447276A9EABD2702F14803B950EC7384DE65CCC3A271

Function 078213EA Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523eb67179dc981a89c0791a7f76d43b876e60316d55d39d22d66485a6e5fbfe
Instruction ID: ed2efa2cae02ea06c5fd88136789426586ac0153bafd8e6d5dced9a34def63b6
Opcode Fuzzy Hash: 523eb67179dc981a89c0791a7f76d43b876e60316d55d39d22d66485a6e5fbfe
Instruction Fuzzy Hash: 8A1123727043146FC715CFA4E805AAABBAAFB84320F14412AF104CB281DBB1EC0587A0

Function 072D0439 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16da785814c4d375714d6b5e640c64123b365f3140304f23c37cb901d7f29c5d
Instruction ID: 28eb02b0caaf5910ccfadd39cf3d930319d360d53e61e027b39622f0e26d95e4
Opcode Fuzzy Hash: 16da785814c4d375714d6b5e640c64123b365f3140304f23c37cb901d7f29c5d
Instruction Fuzzy Hash: AF118171A0064ADBCF20DF9AD4C4CAAFBB9FF84310B548566D91597265D730FD10CB60

Function 072D7DD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1eb5934b98e5b581dfced9e42ba0f90d4ab20e4e7f13160cfbb3dfcb3f9376
Instruction ID: 9b45f00df9be1f5812fdd5756748d75d50ca3f87edd7be78e7c23029590cb5f5
Opcode Fuzzy Hash: 9a1eb5934b98e5b581dfced9e42ba0f90d4ab20e4e7f13160cfbb3dfcb3f9376
Instruction Fuzzy Hash: 7211E3B17152819FD721C7ACE844F92BBA1DB85320F04C2AAE254CF6A2D7B4EC46CB50

Function 0782AD42 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b222d58fc7ee7066b72b768798778d4f1e42c63a5542b7e2b4925b0491aee3
Instruction ID: 70ff8bbaac4253ad7adf01ad99d3bd96c2bdac582aa820495e8f77456d413732
Opcode Fuzzy Hash: 21b222d58fc7ee7066b72b768798778d4f1e42c63a5542b7e2b4925b0491aee3
Instruction Fuzzy Hash: B311B1B0A016169FC760CF28C548BA9FBF5FF44215F448569D408CB651E335E982CF81

Function 0782DF10 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6fc2b29946236094746a63b88cd5b467c1b0d7ec94d525b40f9b122a484467
Instruction ID: 3b5cbf47b1af14a57437254b40df53b5d87419d43575618f7c97f78dbe4cb196
Opcode Fuzzy Hash: 8b6fc2b29946236094746a63b88cd5b467c1b0d7ec94d525b40f9b122a484467
Instruction Fuzzy Hash: 3811BF356102459FC701CF68D888D9EBBF2FF89320B1481A9E819CB362DB71ED06CB90

Function 0782BF68 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfce06967b0147f8c277792329c108fd3e6a05afc80bc6266cc54ea94ed49b5
Instruction ID: 37d484823f2a417eec9f27d3236495681e34738586f30bba303e2ddf8b1afc2f
Opcode Fuzzy Hash: 4cfce06967b0147f8c277792329c108fd3e6a05afc80bc6266cc54ea94ed49b5
Instruction Fuzzy Hash: 861123756002599FCB11DFB4E8098AFBFF9FF8C210700816AE909C7215DB348A46CBE1

Function 078213F8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18945a5e4512dbf088eeede2dfff46cf02f6a20c056fb7de6f775f7b3f625782
Instruction ID: 76b18a9e1bec8f8a1e76ea34142d210e557a2bee0dbeddb29721b538c3c8c404
Opcode Fuzzy Hash: 18945a5e4512dbf088eeede2dfff46cf02f6a20c056fb7de6f775f7b3f625782
Instruction Fuzzy Hash: 1111A5727102146FD714DF98E845E6BB7A9FB84320F10852AF505DB240DB71D90587A0

Function 078268E9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6058bca46b7a9f9fd26167d9e0a3364461caf21c1741afd5b5218f65eb7232
Instruction ID: 3b9c68054a469151195c7a1371df907b4e87c9dcd127c447dab796f5bdd71303
Opcode Fuzzy Hash: cd6058bca46b7a9f9fd26167d9e0a3364461caf21c1741afd5b5218f65eb7232
Instruction Fuzzy Hash: C51142312447458FC711DF69E94188BBBF1EF853107008A29E4868B625DB70FD49CB91

Function 0782EADF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedf134aaef76c82ec548f3b151c01f15fb399ca70ad3839ddec9d7909a213b8
Instruction ID: a4e16070d27e6ccd5a4a3932d41d0c4b2593398f484c2deccf105392e2def464
Opcode Fuzzy Hash: cedf134aaef76c82ec548f3b151c01f15fb399ca70ad3839ddec9d7909a213b8
Instruction Fuzzy Hash: 530104B1A40126CBCB18DF55C91C2EEBBF1AF48211F14452DD406FB340CB724D42DAA4

Function 072D5E8F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcfa4d0e76ac1504341300cb71445d5cd94d5f46d65e672cf6d3f78c5039dd8
Instruction ID: 2b3d6235549a007fc7d2760c61e395faac321af6b52bdf44876750cd72b57d79
Opcode Fuzzy Hash: 0bcfa4d0e76ac1504341300cb71445d5cd94d5f46d65e672cf6d3f78c5039dd8
Instruction Fuzzy Hash: 60116675B101068FDB14DF79C484AADBBF2BF88314F1581AAE8169B361DB70DC92CB91

Function 0782DF20 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c54e64fb69d6cd97d125e83986ecfb7a7f9b2475885d4d566fd3307c99f839
Instruction ID: e871bb45cd0978e98c01dcb6f440035eee222b09be25e443e75b9fa995e987cc
Opcode Fuzzy Hash: 90c54e64fb69d6cd97d125e83986ecfb7a7f9b2475885d4d566fd3307c99f839
Instruction Fuzzy Hash: 5B1151356102059FC704DF68D848D9EBBF6FF89324B1485A9E4198B361DB71ED46CB90

Function 072D7B20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9398b0fea5003c6b984592c617dd1fb6a9f424e364ef6951d634dc659eaf943f
Instruction ID: 10f674fc1ccd879b89c4357448dc5d4d969d985a51d720cfca690c604bb5e7f8
Opcode Fuzzy Hash: 9398b0fea5003c6b984592c617dd1fb6a9f424e364ef6951d634dc659eaf943f
Instruction Fuzzy Hash: A40165713102058FCB04DF2AD888A1AFBFAEF8936071581AAE505CB332DB75EC45CB90

Function 072DA89A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718ab4c0a31e9ec62bbe6a6a97c7fa1232530a8bb257966097cda672f6b05597
Instruction ID: 0084ef1bd4a1966920cbf5fed1b5b7be4196975ba2d2f83f5633913846cd223f
Opcode Fuzzy Hash: 718ab4c0a31e9ec62bbe6a6a97c7fa1232530a8bb257966097cda672f6b05597
Instruction Fuzzy Hash: 911148B5A1121AAFCB04CFA9D944AEDBFF2BF49310F148169E801B7254DB315E40CFA0

Function 07824638 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7526efce57d4ea0b12e057daea72ed186e0a6ac8e031a9038b3d405d6a5b8b58
Instruction ID: 70866b4b9a6d183592675a1aced0f2154c6e64fb1f1c0e4307d822edecd7857c
Opcode Fuzzy Hash: 7526efce57d4ea0b12e057daea72ed186e0a6ac8e031a9038b3d405d6a5b8b58
Instruction Fuzzy Hash: A7012BF23052D1AFD7168F69E840C92BFF6EF86216B0A40A7E44CCB612D621DC86C764

Function 072D9758 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8035559ae86fec4a9c68c8a7111e7b64ddb7dde00fabe4f673395b8b49db9c9a
Instruction ID: dc310d7da069acb2b6be9888677a0b62056ff441a028f8d000091ac5f3be8c19
Opcode Fuzzy Hash: 8035559ae86fec4a9c68c8a7111e7b64ddb7dde00fabe4f673395b8b49db9c9a
Instruction Fuzzy Hash: BDF0A473300215BF9B10DE59FC48DBFBBAEFBC8225314852AF549C3200EB3198058751

Function 0782E980 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66484f0c7bb3e3da9abb5773fa3e4d001d60fd64eb87f280ace96003d90c564c
Instruction ID: 5730a5c4614530b0129096f385e6426dc95804e15cb46453e30d3b46b1486041
Opcode Fuzzy Hash: 66484f0c7bb3e3da9abb5773fa3e4d001d60fd64eb87f280ace96003d90c564c
Instruction Fuzzy Hash: 34F0F4B23042625F83528E49D444DABBBAAEFE822071D812BEC48CB201C6308C4283A4

Function 0782EBAB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d55765808dae47a03b28e0f8bc5a9e6202c9e8b357440dc5f8f65839c5bff3
Instruction ID: 5345fe0c54e571941cf691a70c9772a11b9c60573762b9f21b581f6ca8e8b69a
Opcode Fuzzy Hash: d6d55765808dae47a03b28e0f8bc5a9e6202c9e8b357440dc5f8f65839c5bff3
Instruction Fuzzy Hash: 6301D4B0E45226CFCB14CF55C56C2ADBBF1AF59202F14466AD407FB290CB314C82DB55

Function 072D6F08 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e878dc36b53a91d00dcab7a7891c82eca59f01b592842afcc05d0eb17f90ab99
Instruction ID: 104f768459cb29a7970a08dc838c30a8c6d1d12c8952260d1d4a8fe009ffe5ba
Opcode Fuzzy Hash: e878dc36b53a91d00dcab7a7891c82eca59f01b592842afcc05d0eb17f90ab99
Instruction Fuzzy Hash: F801A4B0731B03DFCB299A76D5045A3BBE6BF85285B18883DD44386A14DB75EC84CB90

Function 072DA8A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b957470c8f5f5ec3bdc5c109e8d042acba64ec167dedde97596442a3c05bd0ca
Instruction ID: 688bb8ed0cd9577cfb6e310027467fcb2383cf58640db8d4db910014c6964236
Opcode Fuzzy Hash: b957470c8f5f5ec3bdc5c109e8d042acba64ec167dedde97596442a3c05bd0ca
Instruction Fuzzy Hash: 0E0157B4E11219ABCF04CFA5D944AEEBFF6AF88310F148029E811B7250DB315E00DBA0

Function 07821498 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad17ff9189b7541c4f2a2d0067286bd7a327ce46c1de9b776fc3c69c1820e6a6
Instruction ID: b36e50a324f389531f814938a143fc7435301384d1ddfed31d394e09d68b3f22
Opcode Fuzzy Hash: ad17ff9189b7541c4f2a2d0067286bd7a327ce46c1de9b776fc3c69c1820e6a6
Instruction Fuzzy Hash: 3A0121312406059FC725DF69E94494BBBE6EF84310700CA39E45A8B735EB70FD498BA1

Function 0782F1B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308c107870aeef5e52151543d49a91bcb1d668a1b1e1b5ef536e699205f9354f
Instruction ID: 6b3cb247a022907b62cb32440b34e4ae19d9159a3c23b799fd28bc16fac85c67
Opcode Fuzzy Hash: 308c107870aeef5e52151543d49a91bcb1d668a1b1e1b5ef536e699205f9354f
Instruction Fuzzy Hash: DEF0B4B2B182259F8B08DEA9F4044AA77E8EB5516672400AFE10DC7250EE71D982C784

Function 072D7DC8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed4758e1bc739c6968fb79a47cb74ba2c0afbfba32f82a111c8460eb47f1bed
Instruction ID: 6e94073570572664799b2d9bb9ff2951afc8b4b7ccfd139655f8b292431887bd
Opcode Fuzzy Hash: eed4758e1bc739c6968fb79a47cb74ba2c0afbfba32f82a111c8460eb47f1bed
Instruction Fuzzy Hash: F7F0B431750342AFC721CA29EC09F957BA6DB89724F05C166F214CB2E2D7B5DC859744

Function 07824868 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f08f4045c3c17707ed7ed88bc89eac24f6f1b7a72ba94aa7e5db166e2f455d
Instruction ID: 413bc82a2c1f66e74cdb3fb829013eca7097c8d87b9cdb7f352f01d52c9d03b5
Opcode Fuzzy Hash: 86f08f4045c3c17707ed7ed88bc89eac24f6f1b7a72ba94aa7e5db166e2f455d
Instruction Fuzzy Hash: B0E04F763001249BC7149A5EE404D9ABBADDFD87727058037FA08C7360CA71DC5296E4

Function 0782F972 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7017f49ba40c0c209970da33975d23047db2d0f7f8fa4abecbd6cbfe790c8e4c
Instruction ID: d679d1d271f972b6030be6f6c30b4ac5940b42c880dc358785456c5e48ab8d23
Opcode Fuzzy Hash: 7017f49ba40c0c209970da33975d23047db2d0f7f8fa4abecbd6cbfe790c8e4c
Instruction Fuzzy Hash: 6CD0A7F4B50028EF8F10CBBCD4144EC77B0DBA9126B100466D30ACB624C733989BCB41

Function 0782F218 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09f81bf72093b437ab4a3f75ea700e0b71a6d522274ccebec6572559ec143a0
Instruction ID: f80bad55a2138951600aab78eb9c415a76bb16488994cbaabe6aec6db4bb9a24
Opcode Fuzzy Hash: a09f81bf72093b437ab4a3f75ea700e0b71a6d522274ccebec6572559ec143a0
Instruction Fuzzy Hash: 0DD0A7B15442249BC3124B54B8004957FBCCB455703200073E00CC3110D66958534BD9

Function 072D0878 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16194ce8050ec4f99d95477f7698b2264dbb9440d9ac4d38d86bc1ed73140385
Instruction ID: cf061963fa19251e0372e6b60130f853f6a481701fe61c7f1c457b645f63c99e
Opcode Fuzzy Hash: 16194ce8050ec4f99d95477f7698b2264dbb9440d9ac4d38d86bc1ed73140385
Instruction Fuzzy Hash: 16D022310803068FC7006730F48A0C87BE8DA402207100082D0088B419CF2868C683E2

Function 072D084F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917ce2772225500d9d06b543b0248871822f197e1a7c8c411618e19127fb0ea3
Instruction ID: 77b080d1d19e4f8b74428243315916d1fe54430e6b23125a6d8a037084810771
Opcode Fuzzy Hash: 917ce2772225500d9d06b543b0248871822f197e1a7c8c411618e19127fb0ea3
Instruction Fuzzy Hash: 22D0923424D2C28FC712AB389AA09467FA1DF87244B5904C682948B596D328AC6AC792

Function 0782F3C4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7565547ed059ea4a4b3a49bd0b186c368570de42ae87bdf417557136e730bd1a
Instruction ID: 5844fce9f03e3d5fde1b9ecd65cbf7e7574155ba310fefad3d3d5709187888dc
Opcode Fuzzy Hash: 7565547ed059ea4a4b3a49bd0b186c368570de42ae87bdf417557136e730bd1a
Instruction Fuzzy Hash: C8D0C975B504149F8B54DBADE55049C7BF1EFC9226B1000AAE20AD7634DB3198558F90

Function 0782F62C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f837b0e508ea2406963652544ec0ad15ba3eca43d3b23b906ef31eae78f067
Instruction ID: ed8c9abfd1995e893743bb5a4982ac2986a9df556e82998cf8ea3cedf41a3b65
Opcode Fuzzy Hash: c2f837b0e508ea2406963652544ec0ad15ba3eca43d3b23b906ef31eae78f067
Instruction Fuzzy Hash: D9D0C9797500148F8718DAADD41049C37A1EBD5226B1000A6E207C7A34CA31DC95C781

Function 072D5130 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7135b2fb38b52bd5aa60bc9a301fb6db0512d1811fc559fafda92067da28ab80
Instruction ID: 57ccf95e2c77099d5720c9380942ffb29d1fb224df2c81685c7797bab5679500
Opcode Fuzzy Hash: 7135b2fb38b52bd5aa60bc9a301fb6db0512d1811fc559fafda92067da28ab80
Instruction Fuzzy Hash: 6FC08C3610C2C05FE3025B302EA6A81BF709B22305F0A0096E288894B7C52844D4E733

Function 072D0DA8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e2b9793b52b60b25bab6690524bb5f84b4b0b82f65155bdade0f08198b7e45
Instruction ID: 16bc5d25396de5e9ac4f5a962f6747209fb6e5d282348e4dc2adccfa51385782
Opcode Fuzzy Hash: f1e2b9793b52b60b25bab6690524bb5f84b4b0b82f65155bdade0f08198b7e45
Instruction Fuzzy Hash: FDC08CF8200200AFD3058B208848A2B7AE3FBD8301F12C819A1058622CCA38C882CB90

Function 072D0888 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbec345fd7e0833e12716a8a3da4aa8f12914a91a45a5b4c1100990c765ca317
Instruction ID: f062d07ddc93bcd951e76a049b671858f288ba1ba698e326eda7ba8c87019206
Opcode Fuzzy Hash: cbec345fd7e0833e12716a8a3da4aa8f12914a91a45a5b4c1100990c765ca317
Instruction Fuzzy Hash: FAB012300C030F8FC6006755F90A504779CE680614B400160A80C061195F7D6D8587C5

Non-executed Functions

Function 07821BA0 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

%, xrefs: 07821F94

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 3444b75d1fd50f68b3a791460dae72e9ad4244d263cc8d86626f86680e24ed0b
Instruction ID: 6d38fa8709d3e67a6233e01c9557710a4f124799bfe8b15c6989c907251e1e4b
Opcode Fuzzy Hash: 3444b75d1fd50f68b3a791460dae72e9ad4244d263cc8d86626f86680e24ed0b
Instruction Fuzzy Hash: CE025EB0A00208DFDB14DFA9D958AAEBBB2FF88301F24856DE5059B355DB35D846CF50

Function 07824F58 Relevance: 1.3, Instructions: 1253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667259897.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7820000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cb4cd968d2c0ba33a6697ac9630130b99781188b8394e07b56d65813970cfe
Instruction ID: 69004ac707a51312c8e21decefe6ec8fcbaacf100179f70f91994c31eca913b2
Opcode Fuzzy Hash: 83cb4cd968d2c0ba33a6697ac9630130b99781188b8394e07b56d65813970cfe
Instruction Fuzzy Hash: 50C215B0A00229DFCB25DF64D948AADBBB2FF59301F1084A9E849E7250DB359DD2DF50

Function 072D89E8 Relevance: .8, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357cbc00940338740a1ce8fb679da2216b12f90fe6a596e609009d57c6be7926
Instruction ID: 6f714f24ba6441f7840b001a108b61847822f861841549132f4921914c92919b
Opcode Fuzzy Hash: 357cbc00940338740a1ce8fb679da2216b12f90fe6a596e609009d57c6be7926
Instruction Fuzzy Hash: E1623CF0610200AFD748DF99D55871ABAD6EB84308F74C99CD0099F395CBB7E94B8B92

Function 072D89F8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fad73fe3b332d1a14e4e7b7e60c7c7a34a8fafce6f8e917e4a6c1de3e9fa52
Instruction ID: 6cadb5c005d0a0ddb79ecf3a64792068bd13f545d48b1f78d8993f34b8857f57
Opcode Fuzzy Hash: 07fad73fe3b332d1a14e4e7b7e60c7c7a34a8fafce6f8e917e4a6c1de3e9fa52
Instruction Fuzzy Hash: 76623CF0610200AFD748DF99D55871ABAD6EB84308F74C99CD0099F395CBB7E94B8B92

Function 072D825A Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be0b18d24c37c3817d9ba8cd13211f4323b723180595fb19b22a9188a9b84d6
Instruction ID: d599f255eef007bf9e9df96a0dc43593b2e6114689483ef6d93e80eb5580995a
Opcode Fuzzy Hash: 4be0b18d24c37c3817d9ba8cd13211f4323b723180595fb19b22a9188a9b84d6
Instruction Fuzzy Hash: AFE1A3B0A1024AEFCB15DFA8D944A9EBBF2FF88314F148569E405AB361DB30DD45CB90

Function 055CE0A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1660089609.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82f336cd9c77cb35d53bf1f01077eb913408dd1514db8e054b191030a59fa5f
Instruction ID: cae2d2c10cdf121b26b243a8f069a63768339654e4dc58e78e3a5baa3b8fa54f
Opcode Fuzzy Hash: f82f336cd9c77cb35d53bf1f01077eb913408dd1514db8e054b191030a59fa5f
Instruction Fuzzy Hash: 81A16032E002098FCF15DFB4D84459EBBB7FF85300B1585AEE806AB265DB31E955CB80

Function 072DB5E0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665285710.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3a8d1268cc731e4db1345fcdd935cd157fb94fe0109f125e45391d43854402
Instruction ID: f53868c68f41071360675cf659f5da5ffb6d4918d07ea863a898fb9ed590ba12
Opcode Fuzzy Hash: 1a3a8d1268cc731e4db1345fcdd935cd157fb94fe0109f125e45391d43854402
Instruction Fuzzy Hash: 4891B0B1A102068FDB11CFA8C590AAABBF5FF84310F16C669D5198B265D730EC95CBD0

Analysis Process: CTM REQUEST-ETD JAN 22, 2024_pdf.exePID: 1892, Parent PID: 7032COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.6%
Total number of Nodes:	35
Total number of Limit Nodes:	5

Executed Functions

Function 0264C168 Relevance: 2.0, APIs: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4093626210.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2640000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dce99029cb0324625345f16d3849420e3fdea8ca80e023a3d6ec702c5d9b1d
Instruction ID: aaae525f6de9d85a2b214b06888f190bf42ad92282c12bf921f9731701f1a222
Opcode Fuzzy Hash: c5dce99029cb0324625345f16d3849420e3fdea8ca80e023a3d6ec702c5d9b1d
Instruction Fuzzy Hash: 76225D74E01219CFCB14DFA9C884B9EBBB2BF88304F1085AAD449A7355DB759D85CF50

Function 02644F08 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4093626210.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2640000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fba799a59abb1674ff93df347aba167b9f0a2b72e93ddec4781bc4ae25b21c
Instruction ID: 3d0647656588f4ec975d032bd269dac40ed7a80858e457b96691f8ddf88e464e
Opcode Fuzzy Hash: 62fba799a59abb1674ff93df347aba167b9f0a2b72e93ddec4781bc4ae25b21c
Instruction Fuzzy Hash: 5BC1B278E00218CFDB14DFA5D944B9DBBB2BF88304F2085AAD809A7364DB359E85CF10

Function 04C8E4D0 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a225eae427223ff39af8c66a9f8274c4a7b26e7208bde4c6cf280737b40832d
Instruction ID: 48da3e98b366369f61064015b7fb477e3e93d9a3e3fd53c8e9fe51f97cfcfa11
Opcode Fuzzy Hash: 9a225eae427223ff39af8c66a9f8274c4a7b26e7208bde4c6cf280737b40832d
Instruction Fuzzy Hash: 46C1B374E00218CFDB54EFA5C994B9DBBB2BF89304F2085A9D409AB364DB359E85CF50

Function 02645358 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4093626210.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2640000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051f98dbc217900403adfd1973d3f9af07d674339c7805a06417ac7021607837
Instruction ID: 2ba0de12ada5fb675486cfc523280a15d4b6ff748cde4597dfb84e61e2dcf8a5
Opcode Fuzzy Hash: 051f98dbc217900403adfd1973d3f9af07d674339c7805a06417ac7021607837
Instruction Fuzzy Hash: 0EA10374D00208CFDB24DFA9D588B9DBBB1FF89314F209269E449AB3A1DB709985CF51

Function 026456AF Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4093626210.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2640000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4c04ff1d9b7b4cff9ed1275acb375da1598035dd83f97f0565c6bbed238243
Instruction ID: cff6f62154278c6c7018205385a1743b69581688b98706ebd7b8e573fb32faac
Opcode Fuzzy Hash: db4c04ff1d9b7b4cff9ed1275acb375da1598035dd83f97f0565c6bbed238243
Instruction Fuzzy Hash: 1E91F274D00208CFDB14DFA8D988B9CBBB1FF49314F609669E44AAB3A1DB709985CF54

Function 04C8E4C0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6476562e63c3eb6ab8db13701f316d1d4a09ac15c9d0a3696e0e84f43135d519
Instruction ID: decfa6c6fc6fd4fa07f1e6f375473b48273fc32e69db8c5d88adc6c9a103455f
Opcode Fuzzy Hash: 6476562e63c3eb6ab8db13701f316d1d4a09ac15c9d0a3696e0e84f43135d519
Instruction Fuzzy Hash: 5741F270E01208CBDB18DFAAD9406DEBBF2AF89304F24D12AD418BB264EB345946CF14

Function 0264C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0264C8AE

Memory Dump Source

Source File: 00000002.00000002.4093626210.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2640000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ee0c8f33a1e442a94ef582ee6cfb60e2ea458120050e3281657b96752af451f
Instruction ID: 30a6f5fb8f26fb550be9086cfd81a943c0f6abee16535f9f9f047c1211c8ffb7
Opcode Fuzzy Hash: 3ee0c8f33a1e442a94ef582ee6cfb60e2ea458120050e3281657b96752af451f
Instruction Fuzzy Hash: D5114C74E021099FDB04DFA8D484BADBBB5FB88304F54D16AE944E7345DB30A941CB64

Function 009CD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4093164058.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9cd000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916996c9c6383c6850fdeac89b798d95f2e8a1e1b83fc8da1cee7d1dde377fa3
Instruction ID: 92012105d2035b877c0d3834faf932ec6ab2c76fcac472be6d30aed40bbbe52c
Opcode Fuzzy Hash: 916996c9c6383c6850fdeac89b798d95f2e8a1e1b83fc8da1cee7d1dde377fa3
Instruction Fuzzy Hash: 13210471905204EFDB14DF18D9C0F26BBA5FB84314F24C97ED8494B296C33AD847CA62

Function 009CD006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4093164058.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9cd000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a267df422705b27566a9ec450b4cb66d094a232672acd6362669ac017ed46ef0
Instruction ID: 0c3166cea4a6cacbc633017a8518e4f66329f16be87a6102ee3b5003d8275659
Opcode Fuzzy Hash: a267df422705b27566a9ec450b4cb66d094a232672acd6362669ac017ed46ef0
Instruction Fuzzy Hash: 0B215E7150D3C09FD703CB24D994B11BF75AB46214F29C5EBD8898F2A7C33A981ACB62

Non-executed Functions

Function 04C89CA0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450f138aad73a5e14f665b90ed406a66451f588169a2240154d03c6890515daa
Instruction ID: 470e54b646729ba80103a357e30bc8a7d1b7578198e4c795f6491e134994c261
Opcode Fuzzy Hash: 450f138aad73a5e14f665b90ed406a66451f588169a2240154d03c6890515daa
Instruction Fuzzy Hash: 5B02EA75E00218CFDB14DFA9C984BADBBB2BF48304F1484A9D819AB365DB31AD85CF54

Function 04C815F8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e99162334b472ec0e5a1aa2bcabd2c51d91bbf494c1cf6a23793f28000a432
Instruction ID: bd19d0739bc0a8d5534f6b5f7c0af8edd85e7e73eb675fdcc25a4a039d4c7052
Opcode Fuzzy Hash: 58e99162334b472ec0e5a1aa2bcabd2c51d91bbf494c1cf6a23793f28000a432
Instruction Fuzzy Hash: 62E1C074E01218CFEB24DFA5C944B9DBBB2BF89304F2481A9D409A73A4DB759A85CF14

Function 04C8C0D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9391ccb9f31113585a82e93170098f6f7a5d44a66e22cc1d9ac3466e2bc12c
Instruction ID: 7200d072d82418b9c953baef33fab175e359d38fe658e81ceec79f03ce792174
Opcode Fuzzy Hash: de9391ccb9f31113585a82e93170098f6f7a5d44a66e22cc1d9ac3466e2bc12c
Instruction Fuzzy Hash: A3C1B374E00218CFDB14EFA5C984B9DBBB2BF89304F2085A9D409AB365DB359E85CF50

Function 04C808F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647cec7aecf8606ec366d1f6a82413f537c383d1edb1432a7391fbf1510e14d3
Instruction ID: b156ea45e7e5dfc7e3ae722c4a1950c05b0faca874707217a25ecfa0507181de
Opcode Fuzzy Hash: 647cec7aecf8606ec366d1f6a82413f537c383d1edb1432a7391fbf1510e14d3
Instruction Fuzzy Hash: B7C1B274E01218CFDB14DFA5C994B9DBBB2BF89304F2085A9D809AB365DB359E85CF10

Function 04C8BC80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8040c1fe47f235c2c5246d5ea454b0ef2234b361a4177e72b35b459485fd4ad6
Instruction ID: 5253d3fee7d0f998c82c1ce8c19c49327fe69f0e00d160def24565e0800bbd89
Opcode Fuzzy Hash: 8040c1fe47f235c2c5246d5ea454b0ef2234b361a4177e72b35b459485fd4ad6
Instruction Fuzzy Hash: 97C1C474E00218CFDB14DFA5C994B9DBBB2BF89304F2085A9D409AB365DB35AE85CF50

Function 04C80498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97ce0f9380183faed5076b865811eab62c93e80edcdc0c024492a68797fdcc5
Instruction ID: 11bf675e36af0304aa5518c3bb100ce914cd7e831ab706979fade02a1a3e02b5
Opcode Fuzzy Hash: d97ce0f9380183faed5076b865811eab62c93e80edcdc0c024492a68797fdcc5
Instruction Fuzzy Hash: 81C1C274E00218CFDB14DFA5C994B9DBBB2BF89304F2085A9D809AB365DB359E85CF50

Function 04C840A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367f151fbb7be3a17ad4daeca83133a7ab5ac8a61350a26e443c5c40cee1d3c0
Instruction ID: 2a4fcbd9e2429e98f34ee911b79ab8c68a5b54f142e86cbfd0014bef93c533c1
Opcode Fuzzy Hash: 367f151fbb7be3a17ad4daeca83133a7ab5ac8a61350a26e443c5c40cee1d3c0
Instruction Fuzzy Hash: A6C1C474E00219CFDB14DFA5C984B9DBBB2BF89304F2085A9D409AB365EB359E85CF14

Function 04C80040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748db046dd4524fcf197bb46671bd540350a8638af5f2bd3ece626359b3c3819
Instruction ID: 11a5e4ee80b5da766ea1398465ed9150d39bcae99daa5be4be87ab81bd650511
Opcode Fuzzy Hash: 748db046dd4524fcf197bb46671bd540350a8638af5f2bd3ece626359b3c3819
Instruction Fuzzy Hash: AFC1C174E01218CFDB14DFA5C994B9DBBB2BF89304F2085A9D809AB365DB359E85CF10

Function 04C83C50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81045e6582f51dcaf21afdcf597b08f8a7f11a3e99908a1bbce96b9539069e26
Instruction ID: fce9fbed2232fa09b4908cc146a81747ec294b18803d36ebf930b31c7a381b98
Opcode Fuzzy Hash: 81045e6582f51dcaf21afdcf597b08f8a7f11a3e99908a1bbce96b9539069e26
Instruction Fuzzy Hash: D1C1C574E00218CFDB14DFA5C994B9DBBB2BF89304F2085A9D409AB365DB35AE85CF50

Function 04C8E078 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffe094f758a1dd565207ef975e29283c3df17b602257d89251cd04a8694e794
Instruction ID: 4c9f1b956ab4bbf1acbf55fe9c03c8a59e23e1a7cf0723f8d776c2de9e4b6b06
Opcode Fuzzy Hash: dffe094f758a1dd565207ef975e29283c3df17b602257d89251cd04a8694e794
Instruction Fuzzy Hash: D1C1C474E00218CFDB54EFA5C984B9DBBB2BF89304F2085A9D409AB365DB359E85CF50

Function 04C8B828 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fba168045ec3c676758f98ed8ac2f7fba0da77d80126d9cfb705d78083d397
Instruction ID: 6edd2b52078f7540133b059d5627f29df3035a0f8e9363bb92549a3545ed45a7
Opcode Fuzzy Hash: d7fba168045ec3c676758f98ed8ac2f7fba0da77d80126d9cfb705d78083d397
Instruction Fuzzy Hash: 54C1C574E00218CFDB54DFA5C984B9DBBB2BF89304F2085A9D409AB365DB35AE85CF10

Function 04C8DC20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac871be760d303704dfbdb4679b93c36bb32acbece050373ec4469b01b4450d1
Instruction ID: 14b5c844746ff62a79edd9d391bd2d6ab868147ebf0aa1923549eb15204e95ea
Opcode Fuzzy Hash: ac871be760d303704dfbdb4679b93c36bb32acbece050373ec4469b01b4450d1
Instruction Fuzzy Hash: 86C1C474E00218CFDB14DFA5C984B9DBBB2BF89304F2085A9D409AB3A5DB359E85CF50

Function 04C8F1D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606ac9ab4459a8fc919204ca74ed71e3e944a1d1d69b1c6958b044948b475730
Instruction ID: f0901f2733f03c1db9cea05a691861ce90fc4bf0bbf27ee6a35ebea4468de815
Opcode Fuzzy Hash: 606ac9ab4459a8fc919204ca74ed71e3e944a1d1d69b1c6958b044948b475730
Instruction Fuzzy Hash: D0C1C274E00218CFDB54EFA5C994B9DBBB2BF89304F2085A9D409AB365DB359E85CF10

Function 04C8CDE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689f50672413a5a04f2852e30df84c79838ef3c9a46a25eceed7206ad6cbf429
Instruction ID: 19008f0c1b5129c1359b8aee03dafa38c5a5f795d3582412b9c47a73590e6487
Opcode Fuzzy Hash: 689f50672413a5a04f2852e30df84c79838ef3c9a46a25eceed7206ad6cbf429
Instruction Fuzzy Hash: 46C1C474E00218CFDB14DFA5C984B9DBBB2BF89304F2085A9D409AB3A4DB359E85CF50

Function 04C8C988 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c52d725db51ca059329ecf5dca2d5782490e7071465ba8f76d50a09ba69168
Instruction ID: f7d90ba1ca69b7bca55df216c9154621d6c3562e8e28855aeabbf169e742dd8a
Opcode Fuzzy Hash: f7c52d725db51ca059329ecf5dca2d5782490e7071465ba8f76d50a09ba69168
Instruction Fuzzy Hash: BDC1C374E00218CFDB54EFA5C984B9DBBB2BF89304F2085A9D409AB364DB359E85CF50

Function 04C8ED80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c689ea5cdb2a78e0653bd32a9e2814e9fdef4811aae7ef9a7a869b5e3932742
Instruction ID: ec585595c75c7e8c2082c6d4e33645a3bdc91259d5834de1a7aeddc7ada45a37
Opcode Fuzzy Hash: 2c689ea5cdb2a78e0653bd32a9e2814e9fdef4811aae7ef9a7a869b5e3932742
Instruction Fuzzy Hash: 89C1B374E00218CFDB54EFA5C984B9DBBB2BF89304F2085A9D409AB365DB359E85CF50

Function 04C811A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4714f6fa8633cbe07191e5268ba9873c11e3ccb2a400a88d954690e4e02869
Instruction ID: bf5a6d275590674ffd4011fa29f74107ab18920a11c2a5f7bae56b7c7ef96969
Opcode Fuzzy Hash: 8a4714f6fa8633cbe07191e5268ba9873c11e3ccb2a400a88d954690e4e02869
Instruction Fuzzy Hash: B8C1AF74E00218CFDB14DFA5C984B9DBBF2BF89304F2485A9D409AB364DB359A86CF10

Function 04C80D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931c12314ac373876f323f4947470c799b2c44b6c2b6e2c849aa360ee0cf66b1
Instruction ID: 531910f8bfb070e5cb39feeea11e2f1161fd909fccdcdc0ac98caafb32a90a8e
Opcode Fuzzy Hash: 931c12314ac373876f323f4947470c799b2c44b6c2b6e2c849aa360ee0cf66b1
Instruction Fuzzy Hash: DCC1C374E00218CFDB14DFA5C984B9DBBB2BF89304F2085A9D409AB365DB359E85CF50

Function 04C8E928 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1835805be3366047e23679366fecb2e1e6f983a7d179d1ad687e6ccb24bbfbdf
Instruction ID: 4895a4e21459624d2d21c1b5c3dee5ac991ba1939ba41eff808c8eaeb65d4c7e
Opcode Fuzzy Hash: 1835805be3366047e23679366fecb2e1e6f983a7d179d1ad687e6ccb24bbfbdf
Instruction Fuzzy Hash: 5BC1C474E00218CFDB54DFA5C994B9DBBB2BF89304F2085A9D409AB365DB359E85CF10

Function 04C8C530 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ceabdb21d28a65864fe94c5a2a4d07c4f1e56dd104becc771b737b6676063b
Instruction ID: 410ef3a2244625a6f449e4ed77779ee84be5f70cbe6a669f500ddfaaa10eabc0
Opcode Fuzzy Hash: 65ceabdb21d28a65864fe94c5a2a4d07c4f1e56dd104becc771b737b6676063b
Instruction Fuzzy Hash: 4BC1B274E00218CFDB14EFA5C994B9DBBB2BF89304F2085A9D409AB365DB359E85CF50

Function 04C8A6C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8d60f2f99c537f872e1bb965685affe5ab2e5228ead9106d69692ea2ad2f61
Instruction ID: 9a9eba16f1b946d1644c58e8dfcca067f0388b0fa2159fed2af47646dc060be4
Opcode Fuzzy Hash: 3b8d60f2f99c537f872e1bb965685affe5ab2e5228ead9106d69692ea2ad2f61
Instruction Fuzzy Hash: 8BC1B374E00218CFDB14DFA5C984B9DBBB2BF89304F2085AAD409AB364DB359E85CF10

Function 04C82AF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fc39a9d4e15476c138698efd3c32d948ef1995d5db5726e098c8dc3e6981d5
Instruction ID: 37ea71af6ed7ef7cc84164e429c850ae37aba16ce0a9e2e70669fbb8217d4906
Opcode Fuzzy Hash: c3fc39a9d4e15476c138698efd3c32d948ef1995d5db5726e098c8dc3e6981d5
Instruction Fuzzy Hash: EBC1C374E01218CFDB14EFA5C984B9DBBB2BF89304F2085A9D409AB364DB359E85CF50

Function 04C8FA88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c1b0ce80cdc58bcfd8568a357de8d94600217fd5dd6aaaf701f2ddf4f940e9
Instruction ID: 2a0a78300d150a419daa6f99ff30fa4badeee459ce12a3a5337309994f25e0f1
Opcode Fuzzy Hash: e0c1b0ce80cdc58bcfd8568a357de8d94600217fd5dd6aaaf701f2ddf4f940e9
Instruction Fuzzy Hash: 65C1C374E00218CFDB14EFA5C994B9DBBB2BF89304F2085A9D409AB365DB359E85CF10

Function 04C8D690 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec466f9168fad8d1511a4bbc9a817065d30f1a1b74dbe1b3a85ad9ca71605a26
Instruction ID: 9006f234823457b0e80e2f54b0e729b977d291b736bfff525136d72296c0bb8e
Opcode Fuzzy Hash: ec466f9168fad8d1511a4bbc9a817065d30f1a1b74dbe1b3a85ad9ca71605a26
Instruction Fuzzy Hash: A5C1A474E00218CFDB14DFA5C994B9DBBB2BF89304F2085A9D409AB3A5DB359E85CF50

Function 04C8A270 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830ddc0bd926e1b5323605b4243fb26bfb753e5147c072bf8dab1aa8eeee381c
Instruction ID: 4129e9ebace8fb81878f45a04872916b77dbc22b6494d5039ac7b83ffd7718ec
Opcode Fuzzy Hash: 830ddc0bd926e1b5323605b4243fb26bfb753e5147c072bf8dab1aa8eeee381c
Instruction Fuzzy Hash: CEC1B374E00218CFDB14DFA5C984B9DBBB2BF89304F2081AAD409AB364DB359E85CF50

Function 04C8D238 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2268880c5f09dc8ca0ff77cd5e8e8aaea6612032b23ab25e31b787650d540b
Instruction ID: 56cfb93ab3aeb2ea397891e7558ecc0f08ee1e58a4d233bf04ac03e06ba3f537
Opcode Fuzzy Hash: 7c2268880c5f09dc8ca0ff77cd5e8e8aaea6612032b23ab25e31b787650d540b
Instruction Fuzzy Hash: CAC1C474E00218CFDB54DFA5C984B9DBBB2BF89304F2085A9D409AB3A5DB359E85CF50

Function 04C8F630 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7502b346b15f4a2972a5953001e8bbf2215737759be5fb0407f171c066b86c3e
Instruction ID: 630a65f9b6c6c2a1e1b94ad653ced878d645931a5fc4749ee738f399ae76cdae
Opcode Fuzzy Hash: 7502b346b15f4a2972a5953001e8bbf2215737759be5fb0407f171c066b86c3e
Instruction Fuzzy Hash: 4CC1B174E00218CFDB14EFA5C984B9DBBB2BF89304F2081A9D409AB365DB359E85CF50

Function 04C8B3D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6deb1357faf01311dd0035b68e82f1ae2b678d9221201768d9f30d6e15b90ea7
Instruction ID: 75698e0cba54cd059e3c893c4cf005681dbef5cb320e9fd409d108b2eb6c254e
Opcode Fuzzy Hash: 6deb1357faf01311dd0035b68e82f1ae2b678d9221201768d9f30d6e15b90ea7
Instruction Fuzzy Hash: F8C1B474E01218CFDB14DFA5C994B9DBBB2BF89304F2081A9D409AB365DB35AE85CF50

Function 04C837F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a074adfe8576f633c8b33f00e77ea7386ffd797e4cd86eb895129df77b6fdd09
Instruction ID: 286368f8e962017bc2dc8a5e9341c883a2b93f49018f1d4c23b082576d75d346
Opcode Fuzzy Hash: a074adfe8576f633c8b33f00e77ea7386ffd797e4cd86eb895129df77b6fdd09
Instruction Fuzzy Hash: 09C1C574E00218CFDB14DFA5C984B9DBBB2BF89304F2095A9D409AB365DB359E85CF10

Function 04C833A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57673bb97bc11704c45bfe2a29b87cf673d153e1d74376ce6148d69db22aad6a
Instruction ID: f45ee0351b180e6e42a1ded5803dfa0add593104cf8b80c33c750b286d07cfe6
Opcode Fuzzy Hash: 57673bb97bc11704c45bfe2a29b87cf673d153e1d74376ce6148d69db22aad6a
Instruction Fuzzy Hash: 9EC1C474E00218CFDB14DFA5C984B9DBBB2BF89304F2095A9D809AB364DB359E85CF10

Function 04C82F48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ce323143d29022dca50a69f8a932e2d798def11e1ec5c4cda3689e35407385
Instruction ID: 0d20f1c769765e5f71203623b361055362742f5cfea3282077f9cc62ba0f7182
Opcode Fuzzy Hash: 26ce323143d29022dca50a69f8a932e2d798def11e1ec5c4cda3689e35407385
Instruction Fuzzy Hash: 91C1B474E00218CFDB14DFA5C994B9DBBB2BF89304F2095A9D809AB365DB359E85CF10

Function 04C8AF78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d570a2a508a1b115e4198940f36723f32a9296696e74620afd0c39cfc241431
Instruction ID: e3325ac50c4b2915d9b12e27954f7d1ae5323d628f9268d817039544d2a73c11
Opcode Fuzzy Hash: 0d570a2a508a1b115e4198940f36723f32a9296696e74620afd0c39cfc241431
Instruction Fuzzy Hash: 4FC1C574E00218CFDB14DFA5C954B9DBBB2BF89304F2085A9D409AB364DB35AE85CF10

Function 04C8AB20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742fc8134704fc48e76002a265261f65260f89310c74376d3e39c0ecbc0108b4
Instruction ID: b92a3e02fa8d84509798544dcbece112728b077fb2824ae8a691a133d3130973
Opcode Fuzzy Hash: 742fc8134704fc48e76002a265261f65260f89310c74376d3e39c0ecbc0108b4
Instruction Fuzzy Hash: EAC1C374E00218CFDB14DFA5C984B9DBBB2BF89304F2085AAD409AB365DB359E85CF50

Function 04C87770 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

(o^q, xrefs: 04C877AE
(o^q, xrefs: 04C87869
(o^q, xrefs: 04C87932
(o^q, xrefs: 04C87895

Memory Dump Source

Source File: 00000002.00000002.4094813052.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c80000_CTM REQUEST-ETD JAN 22, 2024_pdf.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: ee4a60ff67a76845ff3e72b5338f16b17e1266489eb17a7854200780afc8520c
Instruction ID: 4189483db4176af34a1ab5c40f7a974d4b9eae8fd27e1a0dd9209770633cc265
Opcode Fuzzy Hash: ee4a60ff67a76845ff3e72b5338f16b17e1266489eb17a7854200780afc8520c
Instruction Fuzzy Hash: 64C14B34A012099FCB14DF69C984AAEBBF2FF88318F258559E855AB361E730FD41CB50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTM REQUEST-ETD JAN 22, 2024_pdf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
CTM REQUEST-ETD JAN 22, 2024_pdf.exe

Function 07849C70 Relevance: 1.9, Strings: 1, Instructions: 650
COMMON

Function 072D1A50 Relevance: 38.1, Strings: 28, Instructions: 3073
COMMON

Function 072DBC60 Relevance: 6.7, Strings: 5, Instructions: 418
COMMON

Function 0782E990 Relevance: 3.9, Strings: 3, Instructions: 116
COMMON

Function 0782EAF0 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Function 072DBC27 Relevance: 2.6, Strings: 2, Instructions: 115
COMMON

Function 078498DC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 078498E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 055CB2BA Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 0782D5E0 Relevance: 1.7, Strings: 1, Instructions: 429
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre