Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AdobePDF.exe

Overview

General Information

Sample name:AdobePDF.exe
Analysis ID:1587430
MD5:44cc93b896b10417f5d231088ffe6924
SHA1:5def3a0114a71e6affd57d9bc7b9757bf4b6eb14
SHA256:587d10cf5d8c91fe31141bad01719e6a99914010659ef951b1680e97559e7910
Tags:exeuser-zhuzhu0009
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
AI detected suspicious sample
Allocates memory in foreign processes
Drops PE files to the document folder of the user
Drops large PE files
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • AdobePDF.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\AdobePDF.exe" MD5: 44CC93B896B10417F5D231088FFE6924)
    • csc.exe (PID: 7544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
    • csc.exe (PID: 7876 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000002.00000002.4208782145.0000000009850000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000005.00000002.2524199967.0000000008743000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000005.00000002.2525223078.0000000009EC0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.csc.exe.81c92a0.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              2.2.csc.exe.9850000.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                5.2.csc.exe.87c92a0.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  5.2.csc.exe.9ec0000.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AdobePDF.exe, ProcessId: 7332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QualysDLP

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: AdobePDF.exeVirustotal: Detection: 12%Perma Link
                    Source: AdobePDF.exeReversingLabs: Detection: 15%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00530E10 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsGetValue,TlsGetValue,0_2_00530E10
                    Source: AdobePDF.exe, 00000000.00000002.2226482063.000000007FFF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d1d47d12-4
                    Source: AdobePDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: AdobePDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: E:\builds\CST-RED-LCW\target\i686-pc-windows-msvc\release\deps\bdredline.pdb source: AdobePDF.exe, hdtach.exe.0.dr
                    Source: Binary string: protobuf-net.pdb source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmp
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 181.71.216.203:30203
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net
                    Source: csc.exe, 00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4207828082.0000000007223000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.00000000077FB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.0000000007621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: AdobePDF.exe, hdtach.exe.0.drString found in binary or memory: http://www.w3.or
                    Source: AdobePDF.exe, hdtach.exe.0.drString found in binary or memory: https://curl.se/docs/alt-svc.html
                    Source: AdobePDF.exe, hdtach.exe.0.drString found in binary or memory: https://curl.se/docs/hsts.html
                    Source: AdobePDF.exe, hdtach.exe.0.drString found in binary or memory: https://curl.se/docs/http-cookies.html
                    Source: hdtach.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issues
                    Source: AdobePDF.exe, hdtach.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issues46
                    Source: hdtach.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issuesC:
                    Source: hdtach.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issuesSUBCOMMAND
                    Source: AdobePDF.exe, hdtach.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issuesunexpected
                    Source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: csc.exe, 00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                    System Summary

                    barindex
                    Drops large PE files
                    Source: C:\Users\user\Desktop\AdobePDF.exeFile dump: hdtach.exe.0.dr 959667331Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0054604D0_2_0054604D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005B10600_2_005B1060
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004010000_2_00401000
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005478330_2_00547833
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004B30200_2_004B3020
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004499000_2_00449900
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004841000_2_00484100
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005011C00_2_005011C0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004859F00_2_004859F0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005479AE0_2_005479AE
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00526A000_2_00526A00
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005482010_2_00548201
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0048B2100_2_0048B210
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00428B500_2_00428B50
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00540B400_2_00540B40
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0042D3700_2_0042D370
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0045CB200_2_0045CB20
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004B33200_2_004B3320
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00502BD00_2_00502BD0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005473B90_2_005473B9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00427C760_2_00427C76
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00545C160_2_00545C16
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005264C00_2_005264C0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005434CC0_2_005434CC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0054849D0_2_0054849D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00500C800_2_00500C80
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0054648D0_2_0054648D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004FFD500_2_004FFD50
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0042A5600_2_0042A560
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005435790_2_00543579
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005025600_2_00502560
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004225700_2_00422570
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00501D100_2_00501D10
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004BFD300_2_004BFD30
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00490DB00_2_00490DB0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00547E430_2_00547E43
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005486F10_2_005486F1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_004FFEA00_2_004FFEA0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0051FF000_2_0051FF00
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00542FD00_2_00542FD0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005027E00_2_005027E0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00502F800_2_00502F80
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0054A7A00_2_0054A7A0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008914020_2_00891402
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008B37830_2_008B3783
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089380F0_2_0089380F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008A08050_2_008A0805
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089983E0_2_0089983E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008A91990_2_008A9199
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089212E0_2_0089212E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008952CE0_2_008952CE
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891AD90_2_00891AD9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008922D50_2_008922D5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891AE80_2_00891AE8
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00895AE10_2_00895AE1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891AFF0_2_00891AFF
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891A430_2_00891A43
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B2710_2_0089B271
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891A750_2_00891A75
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891B820_2_00891B82
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00895B990_2_00895B99
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B3C90_2_0089B3C9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089A3EB0_2_0089A3EB
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008A93E50_2_008A93E5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008923270_2_00892327
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089736C0_2_0089736C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B36E0_2_0089B36E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891B7B0_2_00891B7B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891B760_2_00891B76
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B4820_2_0089B482
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B49F0_2_0089B49F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B41D0_2_0089B41D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008914430_2_00891443
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089F47A0_2_0089F47A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008934720_2_00893472
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008955F70_2_008955F7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008B55000_2_008B5500
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008A0D160_2_008A0D16
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008A06BE0_2_008A06BE
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089AE030_2_0089AE03
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00892E2E0_2_00892E2E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008916570_2_00891657
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008A8FA80_2_008A8FA8
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B7A20_2_0089B7A2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B7B00_2_0089B7B0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B7D20_2_0089B7D2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008957020_2_00895702
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B71C0_2_0089B71C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891F1F0_2_00891F1F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0089B75E0_2_0089B75E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00891F550_2_00891F55
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E405B0_2_008E405B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EFC6B0_2_008EFC6B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED6A30_2_008ED6A3
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E47BA0_2_008E47BA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E48860_2_008E4886
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED8A60_2_008ED8A6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E48BD0_2_008E48BD
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E68BA0_2_008E68BA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E40B60_2_008E40B6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E20CF0_2_008E20CF
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E48C50_2_008E48C5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F18C00_2_008F18C0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EE8E60_2_008EE8E6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E481A0_2_008E481A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E00270_2_008E0027
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E48450_2_008E4845
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EF0540_2_008EF054
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F818F0_2_008F818F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E419E0_2_008E419E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F499C0_2_008F499C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E41A90_2_008E41A9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED9A70_2_008ED9A7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F09A20_2_008F09A2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E41E60_2_008E41E6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E41F40_2_008E41F4
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E010B0_2_008E010B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F41060_2_008F4106
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E491D0_2_008E491D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E49100_2_008E4910
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED92D0_2_008ED92D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EF9330_2_008EF933
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E515D0_2_008E515D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E41550_2_008E4155
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E99550_2_008E9955
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E41740_2_008E4174
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3A9A0_2_008E3A9A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F42A60_2_008F42A6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F0AF20_2_008F0AF2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3A140_2_008E3A14
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E9A2B0_2_008E9A2B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EBA200_2_008EBA20
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EDA3B0_2_008EDA3B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4A320_2_008E4A32
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EE24C0_2_008EE24C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EDA680_2_008EDA68
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F1A660_2_008F1A66
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E72610_2_008E7261
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E72760_2_008E7276
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E23880_2_008E2388
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F13880_2_008F1388
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EEB800_2_008EEB80
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F8B940_2_008F8B94
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4BA00_2_008E4BA0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3BC20_2_008E3BC2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4BDC0_2_008E4BDC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F03E60_2_008F03E6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4B280_2_008E4B28
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4B4D0_2_008E4B4D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F0B450_2_008F0B45
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_009003430_2_00900343
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E8B670_2_008E8B67
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4C920_2_008E4C92
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4CF90_2_008E4CF9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4CF60_2_008E4CF6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E94550_2_008E9455
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4C510_2_008E4C51
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4C660_2_008E4C66
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F95840_2_008F9584
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4D9B0_2_008E4D9B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED5960_2_008ED596
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3DA80_2_008E3DA8
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E45B10_2_008E45B1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F0DDC0_2_008F0DDC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008EC5DD0_2_008EC5DD
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED5D60_2_008ED5D6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3DE40_2_008E3DE4
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3DF20_2_008E3DF2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4D080_2_008E4D08
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E4D1E0_2_008E4D1E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E751C0_2_008E751C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3D700_2_008E3D70
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED6850_2_008ED685
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F0EA90_2_008F0EA9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F46C00_2_008F46C0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E46DA0_2_008E46DA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F0ED10_2_008F0ED1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E46E50_2_008E46E5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E86F30_2_008E86F3
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E46F10_2_008E46F1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E3E090_2_008E3E09
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E661F0_2_008E661F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F0E1E0_2_008F0E1E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E461C0_2_008E461C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F46450_2_008F4645
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F16400_2_008F1640
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E765A0_2_008E765A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E46660_2_008E4666
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED67C0_2_008ED67C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F2E730_2_008F2E73
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F4F810_2_008F4F81
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F17A70_2_008F17A7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E47A70_2_008E47A7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F07BC0_2_008F07BC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F37C50_2_008F37C5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E0FF20_2_008E0FF2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F472C0_2_008F472C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008ED7250_2_008ED725
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008F07420_2_008F0742
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008E677A0_2_008E677A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD837830_2_3BD83783
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B7D20_2_3BD6B7D2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD7A3CA0_2_3BD7A3CA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B3C90_2_3BD6B3C9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD793E50_2_3BD793E5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD79FEC0_2_3BD79FEC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6A3EB0_2_3BD6A3EB
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD65B990_2_3BD65B99
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B7B00_2_3BD6B7B0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B7A20_2_3BD6B7A2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD823A50_2_3BD823A5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD78FA80_2_3BD78FA8
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B75E0_2_3BD6B75E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD847540_2_3BD84754
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B36E0_2_3BD6B36E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6736C0_2_3BD6736C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B71C0_2_3BD6B71C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD657020_2_3BD65702
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD8172E0_2_3BD8172E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD842CD0_2_3BD842CD
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD652CE0_2_3BD652CE
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD65AE10_2_3BD65AE1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD826E30_2_3BD826E3
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD706BE0_2_3BD706BE
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B2710_2_3BD6B271
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6AE030_2_3BD6AE03
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD655F70_2_3BD655F7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD805FA0_2_3BD805FA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD791990_2_3BD79199
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD7A1640_2_3BD7A164
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD829640_2_3BD82964
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD70D160_2_3BD70D16
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD855000_2_3BD85500
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B49F0_2_3BD6B49F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B4820_2_3BD6B482
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD808610_2_3BD80861
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6B41D0_2_3BD6B41D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD708050_2_3BD70805
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD6380F0_2_3BD6380F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB47BA0_2_3BEB47BA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD6A30_2_3BEBD6A3
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBFC6B0_2_3BEBFC6B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC03E60_2_3BEC03E6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3BC20_2_3BEB3BC2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4BDC0_2_3BEB4BDC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4BA00_2_3BEB4BA0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB23880_2_3BEB2388
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC13880_2_3BEC1388
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBEB800_2_3BEBEB80
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC8B940_2_3BEC8B94
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB8B670_2_3BEB8B67
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4B4D0_2_3BEB4B4D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC0B450_2_3BEC0B45
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BED03430_2_3BED0343
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4B280_2_3BEB4B28
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC0AF20_2_3BEC0AF2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC42A60_2_3BEC42A6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3A9A0_2_3BEB3A9A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBDA680_2_3BEBDA68
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB72610_2_3BEB7261
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC1A660_2_3BEC1A66
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB72760_2_3BEB7276
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBE24C0_2_3BEBE24C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB9A2B0_2_3BEB9A2B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBBA200_2_3BEBBA20
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBDA3B0_2_3BEBDA3B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4A320_2_3BEB4A32
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3A140_2_3BEB3A14
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB41E60_2_3BEB41E6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB41F40_2_3BEB41F4
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB41A90_2_3BEB41A9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD9A70_2_3BEBD9A7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC09A20_2_3BEC09A2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC499C0_2_3BEC499C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB419E0_2_3BEB419E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB41740_2_3BEB4174
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB515D0_2_3BEB515D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB41550_2_3BEB4155
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB99550_2_3BEB9955
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD92D0_2_3BEBD92D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBF9330_2_3BEBF933
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB010B0_2_3BEB010B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC41060_2_3BEC4106
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB491D0_2_3BEB491D
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB49100_2_3BEB4910
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBE8E60_2_3BEBE8E6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB20CF0_2_3BEB20CF
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC18C00_2_3BEC18C0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB48C50_2_3BEB48C5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD8A60_2_3BEBD8A6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB68BA0_2_3BEB68BA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB48BD0_2_3BEB48BD
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB40B60_2_3BEB40B6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB48860_2_3BEB4886
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB48450_2_3BEB4845
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB405B0_2_3BEB405B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBF0540_2_3BEBF054
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB00270_2_3BEB0027
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB481A0_2_3BEB481A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB0FF20_2_3BEB0FF2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC37C50_2_3BEC37C5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC17A70_2_3BEC17A7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB47A70_2_3BEB47A7
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC07BC0_2_3BEC07BC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC4F810_2_3BEC4F81
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB677A0_2_3BEB677A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC07420_2_3BEC0742
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC472C0_2_3BEC472C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD7250_2_3BEBD725
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB46E50_2_3BEB46E5
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB86F30_2_3BEB86F3
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB46F10_2_3BEB46F1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC46C00_2_3BEC46C0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC7EC20_2_3BEC7EC2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB46DA0_2_3BEB46DA
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC0ED10_2_3BEC0ED1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC0EA90_2_3BEC0EA9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD6850_2_3BEBD685
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB46660_2_3BEB4666
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD67C0_2_3BEBD67C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC2E730_2_3BEC2E73
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC46450_2_3BEC4645
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC16400_2_3BEC1640
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB765A0_2_3BEB765A
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3E090_2_3BEB3E09
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC0E1E0_2_3BEC0E1E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB661F0_2_3BEB661F
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB461C0_2_3BEB461C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3DE40_2_3BEB3DE4
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3DF20_2_3BEB3DF2
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC0DDC0_2_3BEC0DDC
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBC5DD0_2_3BEBC5DD
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD5D60_2_3BEBD5D6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3DA80_2_3BEB3DA8
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB45B10_2_3BEB45B1
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEC95840_2_3BEC9584
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4D9B0_2_3BEB4D9B
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEBD5960_2_3BEBD596
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB3D700_2_3BEB3D70
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4D080_2_3BEB4D08
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4D1E0_2_3BEB4D1E
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB751C0_2_3BEB751C
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4CF90_2_3BEB4CF9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4CF60_2_3BEB4CF6
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4C920_2_3BEB4C92
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4C660_2_3BEB4C66
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB4C510_2_3BEB4C51
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BEB94550_2_3BEB9455
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_053B30082_2_053B3008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_053B2FF82_2_053B2FF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_097DC5DF2_2_097DC5DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_097DC9172_2_097DC917
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_097D3D482_2_097D3D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_097D3D382_2_097D3D38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_097DD6882_2_097DD688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099229F82_2_099229F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099209102_2_09920910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099261102_2_09926110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099215282_2_09921528
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099244C82_2_099244C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099229E92_2_099229E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_09920C582_2_09920C58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_09922C762_2_09922C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_09921EB82_2_09921EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_09921EF02_2_09921EF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_09921EE02_2_09921EE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_0994E8502_2_0994E850
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_0994CED82_2_0994CED8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_072F30085_2_072F3008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_072F2FF85_2_072F2FF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4C5E75_2_09E4C5E7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4C9175_2_09E4C917
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E488F65_2_09E488F6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4D6885_2_09E4D688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F929F85_2_09F929F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F915285_2_09F91528
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F909105_2_09F90910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F929E95_2_09F929E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F92C765_2_09F92C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F90C585_2_09F90C58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F91EF05_2_09F91EF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09F91EEF5_2_09F91EEF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09FBE8505_2_09FBE850
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09FBE84F5_2_09FBE84F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09FBE8185_2_09FBE818
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09FBD2905_2_09FBD290
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: String function: 005B1730 appears 34 times
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: String function: 005B1A30 appears 50 times
                    Source: AdobePDF.exe, 00000000.00000002.2200312594.00000000026DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVppuhvl.exe" vs AdobePDF.exe
                    Source: AdobePDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal88.evad.winEXE@5/2@1/1
                    Source: C:\Users\user\Desktop\AdobePDF.exeFile created: C:\Users\user\Documents\Elaborate BytesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMutant created: \Sessions\1\BaseNamedObjects\mono1234
                    Source: AdobePDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\AdobePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: AdobePDF.exeVirustotal: Detection: 12%
                    Source: AdobePDF.exeReversingLabs: Detection: 15%
                    Source: AdobePDF.exeString found in binary or memory: error: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: error: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: error: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: error: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelp For more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: error: --helphelpFor more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: error: --helphelpFor more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelpFor more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helphelpFor more information try C:\Users\compile-bamboo\.cargo\registry\src\index.crates.io-6f17d22bba15001f\os_str_bytes-6.5.1\src\raw_str.rs
                    Source: AdobePDF.exeString found in binary or memory: --helpupdating self
                    Source: AdobePDF.exeString found in binary or memory: --helpupdating self
                    Source: AdobePDF.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s %u %s %s %u "%d%02d%02d %02d:%02d:%02d" %u %d
                    Source: AdobePDF.exeString found in binary or memory: --helphelp
                    Source: AdobePDF.exeString found in binary or memory: --helphelp
                    Source: AdobePDF.exeString found in binary or memory: {before-help}{bin} {version}
                    Source: AdobePDF.exeString found in binary or memory: {all-args}{after-help}{before-help}{bin} {version}
                    Source: AdobePDF.exeString found in binary or memory: {usage}{after-help}
                    Source: AdobePDF.exeString found in binary or memory: &{before-help}{bin} {version}
                    Source: AdobePDF.exeString found in binary or memory: author-section}about-section}usage-heading}all-args}positionals}subcommands}after-help}before-help}
                    Source: AdobePDF.exeString found in binary or memory: /author-section}about-section}usage-heading}all-args}positionals}subcommands}after-help}before-help}$W`k
                    Source: C:\Users\user\Desktop\AdobePDF.exeFile read: C:\Users\user\Desktop\AdobePDF.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\AdobePDF.exe "C:\Users\user\Desktop\AdobePDF.exe"
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: a.dllJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeSection loaded: a.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: AdobePDF.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: AdobePDF.exeStatic file information: File size 4024320 > 1048576
                    Source: AdobePDF.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b0e00
                    Source: AdobePDF.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1a0a00
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: AdobePDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: AdobePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: E:\builds\CST-RED-LCW\target\i686-pc-windows-msvc\release\deps\bdredline.pdb source: AdobePDF.exe, hdtach.exe.0.dr
                    Source: Binary string: protobuf-net.pdb source: csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 2.2.csc.exe.81c92a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.csc.exe.9850000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.csc.exe.87c92a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.csc.exe.9ec0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4208782145.0000000009850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2524199967.0000000008743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2525223078.0000000009EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4208342328.0000000008143000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7876, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005062D0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,0_2_005062D0
                    Source: AdobePDF.exeStatic PE information: real checksum: 0x27ecbf should be: 0x3da302
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_008987D8 push ecx; retf 0000h0_2_008987D9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD687D8 push ecx; retf 0000h0_2_3BD687D9
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_3BD62FA9 pushfd ; retf 0_2_3BD62FAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_053B696D push ebx; retf 2_2_053B6972
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_097D3C81 push esp; retf 2_2_097D3C8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_099260F0 push 5D07FA47h; ret 2_2_09926109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_0994C250 pushad ; iretd 2_2_0994C251
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_072F696D push ebx; retf 5_2_072F6972
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F980 push ebp; ret 5_2_09E4F982
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F979 push esi; ret 5_2_09E4F97A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4AB1C push ss; ret 5_2_09E4AB22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4AAF1 push ss; ret 5_2_09E4AAF2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4FA01 push esi; ret 5_2_09E4FA02
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E43C81 push esp; retf 5_2_09E43C8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EFD9 push eax; ret 5_2_09E4EFDA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EFB9 push eax; ret 5_2_09E4EFBA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EFBB push eax; ret 5_2_09E4EFD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EF98 push eax; ret 5_2_09E4EFB2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EF50 push eax; ret 5_2_09E4EF52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EF5C push eax; ret 5_2_09E4EF92
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EF58 push eax; ret 5_2_09E4EF5A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4EEAD push eax; ret 5_2_09E4EEBA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F1D0 push ecx; ret 5_2_09E4F1D2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F1A1 push ecx; ret 5_2_09E4F1A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F1A9 push ecx; ret 5_2_09E4F1AA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F150 push ecx; ret 5_2_09E4F152
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F159 push ecx; ret 5_2_09E4F15A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F129 push ecx; ret 5_2_09E4F12A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F131 push ecx; ret 5_2_09E4F132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F100 push ecx; ret 5_2_09E4F102
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 5_2_09E4F0B0 push ecx; ret 5_2_09E4F0FA

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files to the document folder of the user
                    Source: C:\Users\user\Desktop\AdobePDF.exeFile created: C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exeJump to dropped file
                    Source: C:\Users\user\Desktop\AdobePDF.exeFile created: C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exeJump to dropped file
                    Source: C:\Users\user\Desktop\AdobePDF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QualysDLPJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QualysDLPJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7876, type: MEMORYSTR
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 6BB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 5950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 75A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 7250000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWindow / User API: threadDelayed 3530Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWindow / User API: threadDelayed 6318Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeDropped PE file which has not been started: C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7724Thread sleep count: 3530 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7724Thread sleep count: 6318 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -59000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58230s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -58109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -57984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -57870s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -57759s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -57250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -57094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56857s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56749s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -56062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55710s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55452s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55123s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -55015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54905s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54728s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54590s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -54044s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -53922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7720Thread sleep time: -53812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 59000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58230Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 58109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57870Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57759Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 57094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56857Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 56062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55710Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55123Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 55015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54905Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54728Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54590Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 54044Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 53922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 53812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: csc.exe, 00000002.00000002.4209067510.0000000009BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 2_2_0994EA90 LdrInitializeThunk,2_2_0994EA90
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_005062D0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,0_2_005062D0
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00452E50 HeapReAlloc,GetProcessHeap,HeapAlloc,HeapFree,0_2_00452E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00587A21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00587A21
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4EA0000 protect: page readonlyJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5410000 protect: page readonlyJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4EA0000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5410000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4EA0000Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4BA2008Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5410000Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 50B8008Jump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_0047E360 cpuid 0_2_0047E360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\AdobePDF.exeCode function: 0_2_00588043 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00588043
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: csc.exe, 00000005.00000003.2217941569.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2520982210.000000000559B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2522217215.000000000559B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2520982210.000000000555E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2522217215.000000000557C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2521128172.000000000557B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2520488458.00000000055CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: csc.exe, 00000005.00000003.2520758839.0000000009D78000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2217666335.0000000009D78000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525088594.0000000009D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                    Windows Management Instrumentation                    		1
                    Registry Run Keys / Startup Folder                    		31
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Disable or Modify Tools                    		LSASS Memory141
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Native API                    		Logon Script (Windows)1
                    DLL Side-Loading                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
                    Process Injection                    		NTDS141
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials134
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    AdobePDF.exe12%VirustotalBrowse
                    AdobePDF.exe16%ReversingLabs

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    newstaticfreepoint24.ddns-ip.net
                    		181.71.216.203
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://curl.se/docs/hsts.htmlAdobePDF.exe, hdtach.exe.0.drfalse
                        		high
                        https://github.com/clap-rs/clap/issuesC:hdtach.exe.0.drfalse
                          		high
                          https://github.com/mgravell/protobuf-neticsc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            https://stackoverflow.com/q/14436606/23354csc.exe, 00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpfalse
                              		high
                              https://github.com/mgravell/protobuf-netJcsc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpfalse
                                		high
                                https://curl.se/docs/http-cookies.htmlAdobePDF.exe, hdtach.exe.0.drfalse
                                  		high
                                  https://stackoverflow.com/q/11564914/23354;csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/2152978/23354csc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpfalse
                                      		high
                                      https://github.com/mgravell/protobuf-netcsc.exe, 00000002.00000003.1976044441.0000000008421000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000003.1976044441.000000000855B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4208830088.00000000098B0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008A21000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2245075144.0000000008B5B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2525264064.0000000009F20000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://www.w3.orAdobePDF.exe, hdtach.exe.0.drfalse
                                          		high
                                          https://curl.se/docs/alt-svc.htmlAdobePDF.exe, hdtach.exe.0.drfalse
                                            		high
                                            https://github.com/clap-rs/clap/issues46AdobePDF.exe, hdtach.exe.0.drfalse
                                              		high
                                              https://github.com/clap-rs/clap/issuesSUBCOMMANDhdtach.exe.0.drfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecsc.exe, 00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000002.00000002.4207828082.0000000007223000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.00000000077FB000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2523646930.0000000007621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/clap-rs/clap/issueshdtach.exe.0.drfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    181.71.216.203
                                                    		newstaticfreepoint24.ddns-ip.netColombia
                                                    		27831ColombiaMovilCOfalse

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1587430
                                                    Start date and time:2025-01-10 11:32:05 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 20s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:7
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:AdobePDF.exe
                                                    Detection:MAL
                                                    Classification:mal88.evad.winEXE@5/2@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 90%
                                                    • Number of executed functions: 312
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    05:33:24API Interceptor9345491x Sleep call for process: csc.exe modified
                                                    10:33:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run QualysDLP C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exe
                                                    10:33:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run QualysDLP C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exe

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    181.71.216.203PDFonlineseguro.exeGet hashmaliciousUnknownBrowse
                                                      AdobePremierPDF.exeGet hashmaliciousUnknownBrowse
                                                        2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          newstaticfreepoint24.ddns-ip.netPDFonlineseguro.exeGet hashmaliciousUnknownBrowse
                                                          • 181.71.216.203
                                                          AdobePremierPDF.exeGet hashmaliciousUnknownBrowse
                                                          • 181.71.216.203
                                                          2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                          • 181.71.216.203
                                                          SHROsQyiAd.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244
                                                          4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244
                                                          fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244
                                                          3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244
                                                          ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244
                                                          pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244
                                                          hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                          • 181.131.217.244

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ColombiaMovilCOPDFonlineseguro.exeGet hashmaliciousUnknownBrowse
                                                          • 181.71.216.203
                                                          AdobePremierPDF.exeGet hashmaliciousUnknownBrowse
                                                          • 181.71.216.203
                                                          1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6
                                                          6.elfGet hashmaliciousUnknownBrowse
                                                          • 181.70.170.80
                                                          173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6
                                                          1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6
                                                          17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6
                                                          1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6
                                                          1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6
                                                          17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 179.15.136.6

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):838
                                                          Entropy (8bit):5.343981685113983
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KlKDE4KhKiKhRAE4KzeosXE4qdKm:MxHKlYHKh3oRAHKzePHA
                                                          MD5:9CCD52F7E666DC3225FA8A6D9120C198
                                                          SHA1:35571A48C9F29765D69EFD69D95669B1A180BBD9
                                                          SHA-256:965053376DFF2CDD816C41292E23666E3456504A75254130D620C3C5BB94949D
                                                          SHA-512:8B66F632EEEF894527CD0EBF331E97E158A40668AC6D290F079449A03477542B609C5FA7AE1E6321093860B11CE697E2D4FECA24ADE51DC94608398B9BC81B54
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..

                                                          C:\Users\user\Documents\Elaborate Bytes\HD Tach\hdtach.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\AdobePDF.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):959667331
                                                          Entropy (8bit):0.06018102535485538
                                                          Encrypted:false
                                                          SSDEEP:
                                                          MD5:77793946BB70355EF6AD3C0BFB83C136
                                                          SHA1:AE404DDCAD95BD6704D6F9899ED0E8C0E2F00873
                                                          SHA-256:26958D28724FFBA5E101C0738D820625D3420D1D788F51F67ACE82A7800DC45D
                                                          SHA-512:4022D771960228DF76B1187265305A1D4324C309508506E0ABFE1960A5A4ADF36B354AD7A08363CF7F4F6F75C3B91C396BD031A593E6D19C4203E6AB323B20DF
                                                          Malicious:true
                                                          Reputation:low
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......1..Yu...u...u...>...d...>.......>...c...:.;.s...:...R...:...g...:...m.......g...........>...v...u...r...u.........9.t.......t...Richu...........................PE..L...H..d.........."....".....V"......v....... ....@...........................=.......'...@..................................F#.......#...............&. .... &......C".T...................@D"......B".@............ ..h............................text............................... ..`.rdata...@... ...<..................@..@.data.... ...`#......N#.............@....rsrc.........#......^#.............@..@................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.849405076205069
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:AdobePDF.exe
                                                          File size:4'024'320 bytes
                                                          MD5:44cc93b896b10417f5d231088ffe6924
                                                          SHA1:5def3a0114a71e6affd57d9bc7b9757bf4b6eb14
                                                          SHA256:587d10cf5d8c91fe31141bad01719e6a99914010659ef951b1680e97559e7910
                                                          SHA512:39d38f7baf6213fe7b651e942c7dc673d617d83f25549af3897fd69b51a70c1664096831d2eb725ba6edcc5c96ac291a7c073456e52bbe97b674fe7ebabc25e7
                                                          SSDEEP:98304:ikJWBMZlJBcsrblAKE9E+Fi+MvhsE+NE+y0fR46+gjTkWU5QIi1DkR7ibtouu0qL:ikJWBMZlJBcsrblAKEW+E+MvhsE+NE+U
                                                          TLSH:BE169F91E200D0A7D05B2174E00FEAF5A6323DB6B705DED397887E3E34716D22D396A9
                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......1..Yu...u...u...>...d...>.......>...c...:.;.s...:...R...:...g...:...m.......g...........>...v...u...r...u.........9.t.......t..

                                                          File Icon

                                                          Icon Hash:51e869694d69924d

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x5876b2
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x64B8FF48 [Thu Jul 20 09:32:56 2023 UTC]
                                                          TLS Callbacks:0x52dd90
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:c5269153981e562b1aed0a612d80f025

                                                          Authenticode Signature

                                                          Signature Valid:
                                                          Signature Issuer:
                                                          Signature Validation Error:
                                                          Error Number:
                                                          Not Before, Not After
                                                            Subject Chain
                                                              Version:
                                                              Thumbprint MD5:
                                                              Thumbprint SHA-1:
                                                              Thumbprint SHA-256:
                                                              Serial:

                                                              Entrypoint Preview

                                                              Instruction
                                                              call 00007F5F688E802Eh
                                                              jmp 00007F5F688E74C9h
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              push ebx
                                                              push esi
                                                              mov eax, dword ptr [esp+18h]
                                                              or eax, eax
                                                              jne 00007F5F688E766Ah
                                                              mov ecx, dword ptr [esp+14h]
                                                              mov eax, dword ptr [esp+10h]
                                                              xor edx, edx
                                                              div ecx
                                                              mov ebx, eax
                                                              mov eax, dword ptr [esp+0Ch]
                                                              div ecx
                                                              mov edx, ebx
                                                              jmp 00007F5F688E7693h
                                                              mov ecx, eax
                                                              mov ebx, dword ptr [esp+14h]
                                                              mov edx, dword ptr [esp+10h]
                                                              mov eax, dword ptr [esp+0Ch]
                                                              shr ecx, 1
                                                              rcr ebx, 1
                                                              shr edx, 1
                                                              rcr eax, 1
                                                              or ecx, ecx
                                                              jne 00007F5F688E7646h
                                                              div ebx
                                                              mov esi, eax
                                                              mul dword ptr [esp+18h]
                                                              mov ecx, eax
                                                              mov eax, dword ptr [esp+14h]
                                                              mul esi
                                                              add edx, ecx
                                                              jc 00007F5F688E7660h
                                                              cmp edx, dword ptr [esp+10h]
                                                              jnbe 00007F5F688E765Ah
                                                              jc 00007F5F688E7659h
                                                              cmp eax, dword ptr [esp+0Ch]
                                                              jbe 00007F5F688E7653h
                                                              dec esi
                                                              xor edx, edx
                                                              mov eax, esi
                                                              pop esi
                                                              pop ebx
                                                              retn 0010h
                                                              push ebp
                                                              mov ebp, esp
                                                              test byte ptr [ebp+08h], 00000001h
                                                              push esi
                                                              mov esi, ecx
                                                              mov dword ptr [esi], 0061A9A8h
                                                              je 00007F5F688E765Ch
                                                              push 0000000Ch
                                                              push esi
                                                              call 00007F5F688E82C8h
                                                              pop ecx
                                                              pop ecx
                                                              mov eax, esi
                                                              pop esi
                                                              pop ebp
                                                              retn 0004h
                                                              cmp ecx, dword ptr [00636510h]
                                                              jne 00007F5F688E7653h
                                                              ret
                                                              jmp 00007F5F688E7945h
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              int3
                                                              push edi
                                                              push esi
                                                              push ebx
                                                              xor edi, edi
                                                              mov eax, dword ptr [esp+14h]
                                                              or eax, eax
                                                              jnl 00007F5F688E7666h
                                                              inc edi
                                                              mov edx, dword ptr [esp+10h]
                                                              neg eax
                                                              neg edx
                                                              sbb eax, 00000000h

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2346ec0xa0.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2380000x1a08e0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x26d2000x8120.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2620000xd4a0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2243b00x54.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x2244400x18.rdata
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2242f00x40.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x1b20000x368.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x1b10000x1b0e002cbf901d97457c56bc03658830ec27e4False0.49542146440947155data6.549341400084285IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x1b20000x840000x83c008d2f67a016b283587097996d6458bdcfFalse0.4693559505455408data5.798902979613995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x2360000x20000x1000491c26b7af8d659e4e2e6903dddc8341False0.228271484375data2.891116441211828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x2380000x1a08e00x1a0a0070918993bb1497a9b7066a4a2a8fc853False0.591280026440144data7.002302548921975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_BITMAP0x2385880xcf28Device independent bitmap graphic, 552 x 24 x 32, image size 52992, resolution 3543 x 3543 px/m0.4380374113742646
                                                              RT_BITMAP0x2454b00x23f28Device independent bitmap graphic, 920 x 40 x 32, image size 147200, resolution 3503 x 3503 px/m0.3137190980711763
                                                              RT_BITMAP0x2693d80x19f98Device independent bitmap graphic, 782 x 34 x 32, image size 106352, resolution 3543 x 3543 px/m0.3707891570794797
                                                              RT_BITMAP0x2833700x402aDevice independent bitmap graphic, 64 x 64 x 32, image size 16386, resolution 2834 x 2834 px/m0.39419213442103984
                                                              RT_ICON0x28739c0x587b9PC bitmap, Windows 3.x format, 45981 x 2 x 41, image size 362988, cbSize 362425, bits offset 540.9976105401117472
                                                              RT_ICON0x2dfb580x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.4078558225508318
                                                              RT_ICON0x2e4fe00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.5551705756929638
                                                              RT_ICON0x2e5e880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.680956678700361
                                                              RT_ICON0x2e67300x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.6683526011560693
                                                              RT_ICON0x2e6c980xf532PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004142106101641
                                                              RT_ICON0x2f61cc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.25051756772743405
                                                              RT_ICON0x3069f40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3019012753897024
                                                              RT_ICON0x30ac1c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3429460580912863
                                                              RT_ICON0x30d1c40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4176829268292683
                                                              RT_ICON0x30e26c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3962765957446808
                                                              RT_STRING0x30e6d40x11a4data0.5004428697962799
                                                              RT_RCDATA0x30f8780x46d3bDelphi compiled form 'TfHint'0.3806216327079319
                                                              RT_RCDATA0x3565b40x46d3bDelphi compiled form 'TfHint'0.33296680190412503
                                                              RT_RCDATA0x39d2f00x6a97Delphi compiled form 'TfLinks'0.5662036867372742
                                                              RT_RCDATA0x3a3d880x5445Delphi compiled form '\021TTechServiceFrame\020TechServiceFrame'0.46646270801464795
                                                              RT_GROUP_ICON0x3a91d00x84dataEnglishUnited States0.6742424242424242
                                                              RT_ANIICON0x3a92540x2f689PC bitmap, Windows 3.x format, 24374 x 2 x 49, image size 194811, cbSize 194185, bits offset 540.9943095501712285

                                                              Imports

                                                              DLLImport
                                                              WINTRUST.dllWinVerifyTrust
                                                              kernel32.dllSetStdHandle, GetFileAttributesExW, GetCurrentProcessId, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetConsoleOutputCP, GetCommandLineA, WriteFile, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, FileTimeToSystemTime, PeekNamedPipe, GetDriveTypeW, LoadLibraryExW, InitializeCriticalSectionAndSpinCount, SetLastError, FormatMessageW, QueryPerformanceCounter, GetTickCount, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, GetModuleHandleA, LoadLibraryA, RaiseException, RtlUnwind, GetStartupInfoW, IsDebuggerPresent, Sleep, InitializeSListHead, GetCurrentThreadId, MultiByteToWideChar, WideCharToMultiByte, SetEndOfFile, SetHandleInformation, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, GetModuleHandleW, GetProcAddress, GetLastError, LoadLibraryW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, FindFirstFileExW, GetEnvironmentVariableA, SleepEx, VerSetConditionMask, VerifyVersionInfoW, CreateFileA, GetFileSizeEx, ReadFile, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, GetTimeZoneInformation, DecodePointer, GetModuleFileNameW, SetErrorMode, SetThreadErrorMode, GetStdHandle, GetConsoleMode, GetFileInformationByHandleEx, TryAcquireSRWLockExclusive, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, SetConsoleMode, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, ReleaseMutex, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, CreateMutexA, FreeEnvironmentStringsW, FindClose, ReleaseSRWLockShared, CompareStringOrdinal, AddVectoredExceptionHandler, SetThreadStackGuarantee, SwitchToThread, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, SetEnvironmentVariableW, CloseHandle, TlsGetValue, GetCommandLineW, FlushFileBuffers, DuplicateHandle, SetFilePointerEx, WriteFileEx, ReadFileEx, WaitForSingleObject, GetExitCodeProcess, TerminateProcess, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, AcquireSRWLockShared, FindNextFileW, CreateFileW, GetFileInformationByHandle, IsProcessorFeaturePresent, MoveFileExA, CreateDirectoryW, FindFirstFileW, DeleteFileW, MoveFileExW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, GetOverlappedResult, CancelIo, GetFileType, SetCurrentDirectoryW, ExitProcess, GetFullPathNameW, CreateNamedPipeW, WaitForMultipleObjects, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, TlsSetValue, WriteConsoleW, ReadConsoleW, CreateThread, InitOnceBeginInitialize, TlsAlloc, InitOnceComplete, TlsFree, GetSystemTimeAsFileTime, HeapSize
                                                              advapi32.dllCryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, RegisterServiceCtrlHandlerExW, SetServiceStatus, StartServiceCtrlDispatcherW, CryptAcquireContextA, SystemFunction036
                                                              crypt32.dllCryptStringToBinaryA, CertGetEnhancedKeyUsage, CertCloseStore, CertOpenStore, PFXImportCertStore, CertAddCertificateContextToStore, CertEnumCertificatesInStore, CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CryptDecodeObjectEx, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext
                                                              ws2_32.dllselect, __WSAFDIsSet, socket, htons, WSACleanup, WSAStartup, WSASetLastError, htonl, WSAGetLastError, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, getaddrinfo, WSACloseEvent, ntohs, setsockopt, send, recv, getsockopt, getpeername, getsockname, accept, listen, ioctlsocket, connect, bind, WSASocketW, closesocket, freeaddrinfo, WSAIoctl, WSACreateEvent
                                                              bcrypt.dllBCryptGenRandom
                                                              ntdll.dllRtlNtStatusToDosError, NtWriteFile, NtReadFile

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 10, 2025 11:33:25.266175032 CET4973630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:25.271020889 CET3020349736181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:25.271086931 CET4973630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:25.304965973 CET4973630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:25.309789896 CET3020349736181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:25.309849024 CET4973630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:25.314687967 CET3020349736181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:46.653623104 CET3020349736181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:46.653748989 CET4973630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:46.708378077 CET4973630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:46.713243961 CET3020349736181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:46.840316057 CET4973730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:46.845230103 CET3020349737181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:46.845326900 CET4973730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:46.855823040 CET4973730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:46.860778093 CET3020349737181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:33:46.863609076 CET4973730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:33:46.868422985 CET3020349737181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:08.235174894 CET3020349737181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:08.235275984 CET4973730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:08.238990068 CET4973730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:08.243751049 CET3020349737181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:08.344441891 CET4981330203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:08.349241018 CET3020349813181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:08.349318027 CET4981330203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:08.350033045 CET4981330203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:08.354816914 CET3020349813181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:08.356141090 CET4981330203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:08.360901117 CET3020349813181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:29.721004009 CET3020349813181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:29.721085072 CET4981330203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:29.721246958 CET4981330203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:29.726126909 CET3020349813181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:29.825552940 CET4994930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:29.830447912 CET3020349949181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:29.830655098 CET4994930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:29.831244946 CET4994930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:29.836078882 CET3020349949181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:29.836148977 CET4994930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:29.841063976 CET3020349949181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:51.189040899 CET3020349949181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:51.189142942 CET4994930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:51.189457893 CET4994930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:51.194202900 CET3020349949181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:51.295351982 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:51.300175905 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:51.300609112 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:51.303335905 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:51.308166027 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:51.309113979 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:51.313895941 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:54.295331955 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:54.300462961 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:34:54.300553083 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:34:54.305339098 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:09.201036930 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:09.205801964 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:09.205957890 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:09.210736036 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:12.675806999 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:12.675887108 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:12.676089048 CET5000630203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:12.680857897 CET3020350006181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:12.779181957 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:12.784152031 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:12.784281015 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:12.785258055 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:12.790081024 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:12.790195942 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:12.795062065 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:13.029417992 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:13.034245968 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:13.034326077 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:13.039093018 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:18.170505047 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:18.175349951 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:18.176362991 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:18.181188107 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:28.513220072 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:28.518798113 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:28.522989035 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:28.528533936 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:31.122906923 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:31.127739906 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:31.127990961 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:31.132914066 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:34.158803940 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:34.159593105 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:34.159866095 CET5000730203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:34.164592028 CET3020350007181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:34.263714075 CET5000830203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:34.268727064 CET3020350008181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:34.268949986 CET5000830203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:34.269659042 CET5000830203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:34.274487972 CET3020350008181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:34.278891087 CET5000830203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:34.283708096 CET3020350008181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:55.608540058 CET3020350008181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:55.608612061 CET5000830203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:55.608820915 CET5000830203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:55.613631010 CET3020350008181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:55.716567039 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:55.721527100 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:55.722249985 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:55.722249985 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:55.727108955 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:35:55.729310036 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:35:55.734224081 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:00.388536930 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:00.393428087 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:00.393575907 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:00.398423910 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:07.966344118 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:07.971263885 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:07.971404076 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:07.976232052 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:14.264868975 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:14.269731045 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:14.273222923 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:14.278034925 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:17.061954021 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:17.062040091 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:17.062314034 CET5000930203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:17.067106009 CET3020350009181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:17.170113087 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:17.174941063 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:17.175060034 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:17.176747084 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:17.181502104 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:17.181538105 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:17.186307907 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:28.372792006 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:28.377825022 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:28.377895117 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:28.382704020 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:33.591770887 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:33.596580029 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:33.596635103 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:33.601453066 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:38.531071901 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:38.533102989 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:38.533252001 CET5001030203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:38.538058043 CET3020350010181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:38.638699055 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:38.643579960 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:38.644385099 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:38.644385099 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:38.649259090 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:38.649414062 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:38.654215097 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:39.482016087 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:39.487147093 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:39.487235069 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:39.492145061 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:48.466811895 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:48.471915960 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:48.474921942 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:48.479893923 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:56.685240984 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:56.690201998 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:36:56.693126917 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:36:56.698046923 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:00.000757933 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:00.002842903 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:00.002985001 CET5001130203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:00.007956028 CET3020350011181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:00.110835075 CET5001230203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:00.115892887 CET3020350012181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:00.116236925 CET5001230203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:00.117161989 CET5001230203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:00.122186899 CET3020350012181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:00.122292042 CET5001230203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:00.127237082 CET3020350012181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:11.103271008 CET5001230203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:11.108253956 CET3020350012181.71.216.203192.168.2.4
                                                              Jan 10, 2025 11:37:11.108321905 CET5001230203192.168.2.4181.71.216.203
                                                              Jan 10, 2025 11:37:11.113195896 CET3020350012181.71.216.203192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 10, 2025 11:33:25.249376059 CET5213153192.168.2.41.1.1.1
                                                              Jan 10, 2025 11:33:25.264029026 CET53521311.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Jan 10, 2025 11:33:25.249376059 CET192.168.2.41.1.1.10xdf4fStandard query (0)newstaticfreepoint24.ddns-ip.netA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Jan 10, 2025 11:33:25.264029026 CET1.1.1.1192.168.2.40xdf4fNo error (0)newstaticfreepoint24.ddns-ip.net181.71.216.203A (IP address)IN (0x0001)false

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:05:33:01
                                                              Start date:10/01/2025
                                                              Path:C:\Users\user\Desktop\AdobePDF.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\AdobePDF.exe"
                                                              Imagebase:0x400000
                                                              File size:4'024'320 bytes
                                                              MD5 hash:44CC93B896B10417F5D231088FFE6924
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:05:33:21
                                                              Start date:10/01/2025
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                              Imagebase:0x7d0000
                                                              File size:2'141'552 bytes
                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.4207828082.0000000006FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.4208782145.0000000009850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.4208342328.0000000008143000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:5
                                                              Start time:05:33:48
                                                              Start date:10/01/2025
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                              Imagebase:0x7d0000
                                                              File size:2'141'552 bytes
                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2523646930.00000000075A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2524199967.0000000008743000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2525223078.0000000009EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:15%
                                                                Dynamic/Decrypted Code Coverage:65%
                                                                Signature Coverage:10.5%
                                                                Total number of Nodes:2000
                                                                Total number of Limit Nodes:61
                                                                execution_graph 108842 541f97 108843 541fc6 K32GetPerformanceInfo 108842->108843 108845 542092 108843->108845 108845->108845 108846 546b60 108847 546b69 VirtualAlloc 108846->108847 108859 546bd9 108847->108859 108870 546be8 697 API calls 108859->108870 108871 54a7a0 108872 54a690 108871->108872 108876 54a9e3 108872->108876 108877 54af0a ExitProcess 108876->108877 108878 548c09 108879 548c1f 108878->108879 108881 548c41 VirtualProtect 108879->108881 109561 548cdd 108879->109561 108883 548da9 108881->108883 108885 548d72 108881->108885 110242 548dc9 108883->110242 109562 548ceb VirtualProtect 109561->109562 109564 548da9 109562->109564 109566 548d72 109562->109566 109565 548dc9 666 API calls 109564->109565 109567 548dbf 109565->109567 109568 548e52 109567->109568 110918 8e648f 109567->110918 110947 3bebf413 109567->110947 110967 3bebec15 109567->110967 110977 3bec541a 109567->110977 110981 3bec5414 109567->110981 110985 8e7763 109567->110985 110998 3bebec1a 109567->110998 111008 8f8f65 109567->111008 111018 3bebdc06 109567->111018 111024 3beb9c09 109567->111024 111028 3beb7c02 109567->111028 111034 3bd65c05 109567->111034 111040 8e8751 109567->111040 111058 3bebdc25 109567->111058 111064 8ee740 109567->111064 111095 895737 109567->111095 111098 8ee74b 109567->111098 111129 3beb7c50 109567->111129 111133 8ecf32 109567->111133 111148 8eff36 109567->111148 111157 8e9737 109567->111157 111171 3bd65467 109567->111171 111189 8e7738 109567->111189 111205 8ed725 109567->111205 111211 3bd65478 109567->111211 111229 8e9726 109567->111229 111243 8eff27 109567->111243 111254 89f72c 109567->111254 111266 3bebdc4e 109567->111266 111272 8ee711 109567->111272 111305 8f972f 109567->111305 111315 8e8f19 109567->111315 111340 3bebdc75 109567->111340 111346 8ee71a 109567->111346 111378 8e771b 109567->111378 111394 8e671c 109567->111394 111420 8eef1d 109567->111420 111442 3beb7c65 109567->111442 111446 8e6701 109567->111446 111472 3bd7b45a 109567->111472 111476 8f4702 109567->111476 111495 8f9706 109567->111495 111499 895702 109567->111499 111508 895709 109567->111508 111517 8e770c 109567->111517 111533 3bebfc96 109567->111533 111547 3bebfc6b 109567->111547 111561 8e77fa 109567->111561 111572 3beb7c97 109567->111572 111576 3bd654b0 109567->111576 111594 8a97f9 109567->111594 111598 8f57ee 109567->111598 111602 3beb648f 109567->111602 111637 8f87d4 109567->111637 111640 8f97d4 109567->111640 111646 8e3fd8 109567->111646 111649 3bebd4b1 109567->111649 111661 8e8fdf 109567->111661 111679 8e67dc 109567->111679 111705 3bec54a5 109567->111705 111709 8eefc7 109567->111709 111738 3bd65c97 109567->111738 111744 3beb7ca9 109567->111744 111748 3bd794f9 109567->111748 111752 3beb9cd9 109567->111752 111756 8a8fa8 109567->111756 111765 8a97ac 109567->111765 111770 8a9793 109567->111770 111777 8e8f90 109567->111777 111801 8f9780 109567->111801 111806 8e7798 109567->111806 111810 8b3783 109567->111810 111821 8f4f81 109567->111821 111829 3bebcce9 109567->111829 111834 8a7789 109567->111834 111838 8f4671 109567->111838 111859 8f978f 109567->111859 111863 8eee79 109567->111863 111888 3beb751c 109567->111888 111918 8ece7c 109567->111918 111933 8ed67c 109567->111933 111941 8e6667 109567->111941 111967 3bd7a525 109567->111967 111979 896668 109567->111979 111983 3bebfd0e 109567->111983 111997 3beb8d36 109567->111997 112002 3beb7d34 109567->112002 112012 8eee54 109567->112012 112037 8efe54 109567->112037 112048 8e765a 109567->112048 112072 89565f 109567->112072 112081 3bd65505 109567->112081 112099 895e5a 109567->112099 112103 8e8642 109567->112103 112126 8f5643 109567->112126 112130 896642 109567->112130 112134 895642 109567->112134 112143 3bd6cd1f 109567->112143 112147 8f4645 109567->112147 112170 3bec5d53 109567->112170 112174 8f3e48 109567->112174 112181 3bd83d60 109567->112181 112185 8e9633 109567->112185 112199 3bd7a565 109567->112199 112216 3bd66562 109567->112216 112222 3bec5d42 109567->112222 112226 8ec63e 109567->112226 112237 3bec5d47 109567->112237 112241 8f4e24 109567->112241 112253 8f562a 109567->112253 112257 3beb8d4c 109567->112257 112260 8e762f 109567->112260 112286 8f462e 109567->112286 112300 3bec4570 109567->112300 112316 3beb7d77 109567->112316 112326 8e461c 109567->112326 112329 8f8e15 109567->112329 112345 3bebd564 109567->112345 112351 8e661f 109567->112351 112377 890607 109567->112377 112383 8efe00 109567->112383 112394 3bebd569 109567->112394 112399 3bebe567 109567->112399 112435 8e86f3 109567->112435 112453 3beb7d96 109567->112453 112461 8966f0 109567->112461 112465 3bebd596 109567->112465 112473 8f56f7 109567->112473 112477 8f96f6 109567->112477 112482 3bd6bdae 109567->112482 112486 8e96f6 109567->112486 112500 3beb759c 109567->112500 112530 8a16f2 109567->112530 112534 8e86e2 109567->112534 112553 3beb6586 109567->112553 112587 8e76e4 109567->112587 112604 8956e3 109567->112604 112615 8efee8 109567->112615 112626 8f8ee8 109567->112626 112638 8e96d0 109567->112638 112652 3bd825b8 109567->112652 112673 3bd6bd82 109567->112673 112677 8f46d9 109567->112677 112696 8f46c0 109567->112696 112716 8e76df 109567->112716 112734 3bec55a7 109567->112734 112738 8ecec3 109567->112738 112753 8efecc 109567->112753 112764 3bd66594 109567->112764 112768 8e66b8 109567->112768 112794 3bebd5d6 109567->112794 112802 3beb65db 109567->112802 112828 3bebc5dd 109567->112828 112844 3beb95c1 109567->112844 112847 8ed6a3 109567->112847 112853 8eeea8 109567->112853 112872 8a36a3 109567->112872 112875 8f4eab 109567->112875 112887 89f6ac 109567->112887 112900 8e86ae 109567->112900 112918 3bd655f7 109567->112918 112936 8f4692 109567->112936 112948 3bebfdf4 109567->112948 112962 895693 109567->112962 112976 3beb75f0 109567->112976 112998 3bebede7 109567->112998 113022 3bd65dc6 109567->113022 113028 8f568a 109567->113028 113032 8ed685 109567->113032 113040 3bebfdeb 109567->113040 113054 8a368e 109567->113054 113059 8e3d70 109567->113059 113069 8f4570 109567->113069 113083 3beb661f 109567->113083 113113 8e7d77 109567->113113 113123 8b3d60 109567->113123 113127 896562 109567->113127 113133 8ed564 109567->113133 113139 3bebfe00 109567->113139 113153 8ed569 109567->113153 113158 8ee567 109567->113158 113191 3bd8263b 109567->113191 113211 8e856a 109567->113211 113235 3bd82602 109567->113235 113251 8f5d53 109567->113251 113255 3bd60607 109567->113255 113261 3bebc63e 109567->113261 113275 8ed545 109567->113275 113284 8f5d42 109567->113284 113288 3bec562a 109567->113288 113292 8f5d47 109567->113292 113296 8e8d4c 109567->113296 113299 3beb762f 109567->113299 113329 3bebfe54 109567->113329 113343 3bebee54 109567->113343 113367 8f8d33 109567->113367 113383 3bd66668 109567->113383 113387 8e8d36 109567->113387 113392 8e7d34 109567->113392 113402 8e953f 109567->113402 113420 3beb765a 109567->113420 113448 3bec4645 109567->113448 113474 3bec5643 109567->113474 113478 3bebce7c 109567->113478 113497 3bec3e48 109567->113497 113504 89cd1f 109567->113504 113508 3bebd67c 109567->113508 113516 3bd65642 109567->113516 113525 3bd66642 109567->113525 113529 8e751c 109567->113529 113555 3bebee79 109567->113555 113579 3bd65e5a 109567->113579 113583 895505 109567->113583 113597 8e8d02 109567->113597 113626 3beb6667 109567->113626 113656 8efd0e 109567->113656 113667 3bd6565f 109567->113667 113676 8e75f0 109567->113676 113696 8955f7 109567->113696 113710 8e95f5 109567->113710 113724 3bec4692 109567->113724 113737 3bd736a3 109567->113737 113740 8efdf4 109567->113740 113751 8eede7 109567->113751 113776 3bebd685 109567->113776 113784 8efdeb 109567->113784 113795 3bec568a 109567->113795 113799 8ed5d6 109567->113799 113807 3bd7368e 109567->113807 113812 8955df 109567->113812 113827 3bd7ae80 109567->113827 113830 8ec5dd 109567->113830 113842 8e65db 109567->113842 113866 895dc6 109567->113866 113872 3beb66b8 109567->113872 113902 8e85c6 109567->113902 113925 8e95c1 109567->113925 113928 3bd65693 109567->113928 113946 3bebd6a3 109567->113946 113952 8e45b1 109567->113952 113956 3bebeea8 109567->113956 113976 3bec46d9 109567->113976 113997 3bd826e3 109567->113997 114017 8e85a1 109567->114017 114041 3beb76df 109567->114041 114061 8f55a7 109567->114061 114065 3bec46c0 109567->114065 114087 3bebfecc 109567->114087 114101 3bebcec3 109567->114101 114120 8e3da8 109567->114120 114124 89bdae 109567->114124 114128 3bd716f2 109567->114128 114132 3bd666f0 109567->114132 114136 3bd826c6 109567->114136 114156 8e85ae 109567->114156 114180 3bec56f7 109567->114180 114184 896594 109567->114184 114188 8e7d96 109567->114188 114196 8ed596 109567->114196 114204 3beb76e4 109567->114204 114223 8e759c 109567->114223 114249 89bd82 109567->114249 114253 8f9584 109567->114253 114269 3bebfee8 109567->114269 114283 8e6586 109567->114283 114311 3bebe711 109567->114311 114347 8edc75 109567->114347 114353 3bebef1d 109567->114353 114376 3beb671c 109567->114376 114406 3bebe71a 109567->114406 114441 895478 109567->114441 114455 895467 109567->114455 114469 3beb771b 109567->114469 114487 8e7c65 109567->114487 114491 3bec4702 109567->114491 114513 3beb770c 109567->114513 114531 3beb6701 109567->114531 114561 3bd65737 109567->114561 114564 8efc6b 109567->114564 114575 3bd65709 109567->114575 114584 89fc68 109567->114584 114590 3bebff36 109567->114590 114600 8e7c50 109567->114600 114604 8e8c57 109567->114604 114633 8e9455 109567->114633 114651 3bd65702 109567->114651 114660 3bebcf32 109567->114660 114679 8e8c5c 109567->114679 114708 3beb7738 109567->114708 114726 3bebd725 109567->114726 114732 8ab45a 109567->114732 114735 8edc4e 109567->114735 114741 8f4c42 109567->114741 114753 8e7420 109567->114753 114775 3bec472c 109567->114775 114796 8e8425 109567->114796 114814 8edc25 109567->114814 114820 8efc27 109567->114820 114830 3bebe740 109567->114830 114864 8ef413 109567->114864 114883 3bebe74b 109567->114883 114917 8f5414 109567->114917 114921 8eec15 109567->114921 114930 8eec1a 109567->114930 114939 8f541a 109567->114939 114943 895c05 109567->114943 114949 8ecc00 109567->114949 114967 891402 109567->114967 114972 8e7c02 109567->114972 114978 3beb7763 109567->114978 114993 8edc06 109567->114993 114999 8e9c09 109567->114999 115003 8e8406 109567->115003 115018 3bd797ac 109567->115018 115025 3bd78fa8 109567->115025 115034 8a94f9 109567->115034 115038 3beb7798 109567->115038 115042 3bd77789 109567->115042 115046 8ecce9 109567->115046 115051 8e9cd9 109567->115051 115055 3bd83783 109567->115055 115067 8ed4b1 109567->115067 115077 3bd79793 109567->115077 115086 3beb67dc 109567->115086 115116 8954b0 109567->115116 115130 3bebefc7 109567->115130 115162 3bd797f9 109567->115162 115168 8e7ca9 109567->115168 115172 8f54a5 109567->115172 115176 895c97 109567->115176 115182 8b3ca8 109567->115182 115189 8e7c97 109567->115189 115193 8f4c96 109567->115193 115199 3beb77fa 109567->115199 115212 8efc96 109567->115212 115223 8f848b 109567->115223 115241 8f4c85 109567->115241 115247 8f8a85 109567->115247 115257 3bec57ee 109567->115257 115261 8e7b73 109567->115261 115267 3bec4813 109567->115267 115288 8edb7b 109567->115288 115294 8f5376 109567->115294 115298 3bebd008 109567->115298 115317 8e3b65 109567->115317 115327 3bebe025 109567->115327 115333 8f3356 109567->115333 115339 8e3b42 109567->115339 115348 895344 109567->115348 115357 8e8348 109567->115357 115373 8edb42 109567->115373 115379 3beb7854 109567->115379 115383 3bec5829 109567->115383 115387 8efb36 109567->115387 115396 3bebf054 109567->115396 115426 3bebf05f 109567->115426 115456 8f8337 109567->115456 115479 895b28 109567->115479 115483 8ef326 109567->115483 115505 3beba07c 109567->115505 115509 3bebd04a 109567->115509 115521 8e7b1e 109567->115521 115527 8e6b1c 109567->115527 115550 8ef30d 109567->115550 115574 3bec587c 109567->115574 115578 3beba09d 109567->115578 115582 3bec6891 109567->115582 115587 3beb789f 109567->115587 115595 3bd6b8a3 109567->115595 115599 8f8be0 109567->115599 115609 8e9bfc 109567->115609 115613 8e7be1 109567->115613 115619 8a93e5 109567->115619 115628 3bec4884 109567->115628 115649 8efbe4 109567->115649 115662 3bd798b3 109567->115662 115666 3bebd08c 109567->115666 115681 8f83ef 109567->115681 115699 8edbec 109567->115699 115705 3bd70888 109567->115705 115708 3beba0b4 109567->115708 115712 3beb68ba 109567->115712 115744 8e9bd2 109567->115744 115748 8ef3c3 109567->115748 115767 8e6bde 109567->115767 115773 3bebd8a6 109567->115773 115779 8f4bc2 109567->115779 115791 3bec48a0 109567->115791 115812 8e3bc2 109567->115812 115821 8e73cd 109567->115821 115843 8953ce 109567->115843 115852 3bec68ae 109567->115852 115856 8efbcc 109567->115856 115865 3bd6b8e9 109567->115865 115869 3beba0ab 109567->115869 115873 3bebe8d3 109567->115873 115904 3bebf0d1 109567->115904 115934 8e9ba0 109567->115934 115938 8f8bbf 109567->115938 115950 8e7ba9 109567->115950 115956 3bd6b8fd 109567->115956 115960 8e6baa 109567->115960 115982 8edbab 109567->115982 115988 3bebe8f0 109567->115988 116018 8f8b94 109567->116018 116033 8e839d 109567->116033 116051 3bec48f8 109567->116051 116065 8eeb80 109567->116065 116096 895b99 109567->116096 116102 8f8b84 109567->116102 116119 3bebe8e6 109567->116119 116149 8e7276 109567->116149 116173 8f438c 109567->116173 116181 8e427b 109567->116181 116187 89b271 109567->116187 116195 8f5267 109567->116195 116199 8e7261 109567->116199 116224 8eda68 109567->116224 116230 8f3a68 109567->116230 116237 896a6a 109567->116237 116241 8b326e 109567->116241 116244 3bec590e 109567->116244 116248 3bec490f 109567->116248 116261 8f5254 109567->116261 116265 8ee251 109567->116265 116298 3bd71103 109567->116298 116301 3bec3936 109567->116301 116308 3beb693b 109567->116308 116312 3bebd13f 109567->116312 116328 8efa44 109567->116328 116343 3beb6924 109567->116343 116347 3bd68911 109567->116347 116353 8f5245 109567->116353 116359 3bd6b913 109567->116359 116363 3bebd92d 109567->116363 116369 8f3a30 109567->116369 116376 8ee24c 109567->116376 116409 3bd82964 109567->116409 116429 8ef230 109567->116429 116456 8f3a3b 109567->116456 116463 8eda3b 109567->116463 116469 8ada38 109567->116469 116473 3bd7a164 109567->116473 116490 3bebc143 RegSetValueExW 109567->116490 116492 8eea3e 109567->116492 116525 3bd8397d 109567->116525 116529 8eb229 109567->116529 116533 8e9a2b 109567->116533 116547 8f9a2a 109567->116547 116553 8e422a 109567->116553 116559 89aa2d 109567->116559 116563 8e7a2d 109567->116563 116568 3bd7a974 109567->116568 116577 8e3a14 109567->116577 116581 3bec594e 109567->116581 116585 8f3a16 109567->116585 116592 8eea14 109567->116592 116625 3bec3968 109567->116625 116632 3bebd179 109567->116632 116648 3bd7f9ae 109567->116648 116654 3bd669a9 109567->116654 116660 895ae1 109567->116660 116668 3bec499c 109567->116668 116681 895aec 109567->116681 116689 3bd659b0 109567->116689 116695 8f42d0 109567->116695 116703 8e72ee 109567->116703 116723 3beb71b6 109567->116723 116727 3beb79b5 109567->116727 116735 8f42d6 109567->116735 116743 3beb71b1 109567->116743 116747 8f2adb 109567->116747 116753 8e72d7 109567->116753 116773 3bd79199 109567->116773 116782 8e42c1 109567->116782 116788 3bec39a0 109567->116788 116797 8ef2c3 109567->116797 116821 8f2ac4 109567->116821 116828 3bebd9a7 109567->116828 116834 8952ce 109567->116834 116854 8eeac6 109567->116854 116885 8ee2cf 109567->116885 116918 89b2cc 109567->116918 116922 3bd669ea 109567->116922 116928 3bebd1ab 109567->116928 116944 3bebe9dd 109567->116944 116974 89b2b2 109567->116974 116978 3bd659f9 109567->116978 116982 8ee2bc 109567->116982 117015 3beb71c0 109567->117015 117019 8e72a2 109567->117019 117043 8f42a6 109567->117043 117053 3bd6a9fc 109567->117053 117057 8e7aab 109567->117057 117063 8f9aaa 109567->117063 117067 8e8aac 109567->117067 117102 89b2ad 109567->117102 117106 8ef292 109567->117106 117133 3bd731c9 109567->117133 117141 8e7a94 109567->117141 117147 8f5293 109567->117147 117151 8e3a9a 109567->117151 117155 3bec39f4 109567->117155 117162 3bec39e1 109567->117162 117170 8e9a9f 109567->117170 117184 3bd6b9d6 109567->117184 117188 3bec2ac4 109567->117188 117195 3bd6aa2d 109567->117195 117199 3bebea14 109567->117199 117229 8e4174 109567->117229 117233 3bec3a16 109567->117233 117240 8b397d 109567->117240 117244 8ed179 109567->117244 117256 89f962 109567->117256 117264 8f5160 109567->117264 117270 8f3968 109567->117270 117277 3bd6323c 109567->117277 117281 8e8952 109567->117281 117310 3bec3a30 109567->117310 117317 8e4155 109567->117317 117322 8e9955 109567->117322 117338 3bebea3e 109567->117338 117368 3bec3a3b 109567->117368 117375 8ec143 RegSetValueExW 109567->117375 117377 3bebda3b 109567->117377 117383 3bebb229 109567->117383 117387 8e894a 109567->117387 117416 3bd66a6a 109567->117416 117420 8f594e 109567->117420 117424 8f3936 109567->117424 117431 3bebe251 109567->117431 117467 3bd8326e 109567->117467 117470 3bec5254 109567->117470 117474 8ed13f 109567->117474 117486 8e693b 109567->117486 117490 8e6924 109567->117490 117494 3bebfa44 109567->117494 117512 8e9126 109567->117512 117530 8ed126 109567->117530 117542 3bebe24c 109567->117542 117578 3bd6b271 109567->117578 117586 8ed92d 109567->117586 117592 8e512b 109567->117592 117610 3beb7276 109567->117610 117638 8e8910 109567->117638 117672 898911 109567->117672 117678 89b913 109567->117678 117682 3bec5267 109567->117682 117686 8e4119 109567->117686 117694 8f4106 109567->117694 117702 3beb7261 109567->117702 117731 89e90c 109567->117731 117736 8a1103 109567->117736 117739 3bebda68 109567->117739 117745 3bec3a68 109567->117745 117752 8f490f 109567->117752 117764 8f590e 109567->117764 117768 3bd6b2ad 109567->117768 117772 3beb7a94 109567->117772 117778 8e41f4 109567->117778 117782 8f39f4 109567->117782 117789 8e79ff 109567->117789 117795 89a9fc 109567->117795 117799 8f39e1 109567->117799 117807 8959f9 109567->117807 117811 8e41e6 109567->117811 117815 8f51e4 109567->117815 117821 8969ea 109567->117821 117827 3bd6b2b2 109567->117827 117831 3bebe2bc 109567->117831 117867 8e79ee 109567->117867 117873 8e89df 109567->117873 117902 8ee9dd 109567->117902 117935 3beb72a2 109567->117935 117963 8e71c0 109567->117963 117967 8a31c9 109567->117967 117975 8e89c8 109567->117975 118004 8e71b1 109567->118004 118008 3beb7aab 109567->118008 118014 8e79b5 109567->118014 118020 3beb72d7 109567->118020 118042 8959b0 109567->118042 118048 3bd65aec 109567->118048 118056 3bd65ae1 109567->118056 118064 8e71b6 109567->118064 118068 8f39a0 109567->118068 118077 3bec2adb 109567->118077 118083 8ed9a7 109567->118083 118089 3bebeac6 109567->118089 118117 8e41a9 109567->118117 118123 8ee8f0 109567->118123 118156 8af9ae 109567->118156 118159 8ed1ab 109567->118159 118171 8969a9 109567->118171 118177 3bebe2cf 109567->118177 118213 3bd6b2cc 109567->118213 118217 8e9991 109567->118217 118231 89b99e 109567->118231 118235 3bd652ce 109567->118235 118259 8f499c 109567->118259 118271 8a9199 109567->118271 118280 3beb72ee 109567->118280 118302 8e419e 109567->118302 118308 8f5078 109567->118308 118316 3bd65b28 109567->118316 118320 8f587c 109567->118320 118324 3beb7b1e 109567->118324 118330 8f506c 109567->118330 118338 8ea07c 109567->118338 118342 8ef054 109567->118342 118369 3bebfb36 109567->118369 118379 8e405b 109567->118379 118390 8e7854 109567->118390 118394 3bd7a31b 109567->118394 118411 8ef05f 109567->118411 118438 8f4030 109567->118438 118446 8ed04a 109567->118446 118456 8f4035 109567->118456 118464 3bec3356 109567->118464 118470 3bebdb42 109567->118470 118476 8ee025 109567->118476 118482 3bd7a371 109567->118482 118499 8f5829 109567->118499 118503 3bec5376 109567->118503 118507 8f4813 109567->118507 118526 89f81c 109567->118526 118532 3beb7b73 109567->118532 118538 3bebdb7b 109567->118538 118544 3bd65344 109567->118544 118553 8f500d 109567->118553 118561 8ed008 109567->118561 118576 8f48f8 109567->118576 118589 3bebf3c3 109567->118589 118609 8e88ff 109567->118609 118643 89b8fd 109567->118643 118647 8ee8e6 109567->118647 118680 3bebeb80 109567->118680 118714 8ef0d1 109567->118714 118741 89b8e9 109567->118741 118745 3bd65b99 109567->118745 118751 8ee8d3 109567->118751 118785 3beb9ba0 109567->118785 118789 8e98c0 109567->118789 118803 3bebdbab 109567->118803 118809 3beb7ba9 109567->118809 118815 8ea0b4 109567->118815 118819 8e98b2 109567->118819 118833 8e40b6 109567->118833 118837 3beb9bd2 109567->118837 118841 3bd793e5 109567->118841 118850 8e68ba 109567->118850 118876 89b8a3 109567->118876 118880 8f48a0 109567->118880 118899 8e6895 109567->118899 118924 8ed8a6 109567->118924 118930 3bebfbcc 109567->118930 118940 8e90a9 109567->118940 118958 8f40ab 109567->118958 118966 8ea0ab 109567->118966 118970 89f8a9 109567->118970 118976 8f68ae 109567->118976 118980 3bd7a3ca 109567->118980 118997 8f6891 109567->118997 119002 3bd653ce 109567->119002 119011 3beb7be1 109567->119011 119017 8e989d 109567->119017 119031 3beb9bfc 109567->119031 119035 8e789f 109567->119035 119041 8ea09d 109567->119041 119045 3bebdbec 109567->119045 119051 8f4884 109567->119051 119070 8ed08c 109567->119070 119082 8a0888 109567->119082 110243 548df4 110242->110243 110244 548e52 110243->110244 110245 8a0888 Wow64GetThreadContext 110243->110245 110246 8ed08c 37 API calls 110243->110246 110247 3bebdbec 27 API calls 110243->110247 110248 3beb7be1 2 API calls 110243->110248 110249 8f4884 8 API calls 110243->110249 110250 8e789f 3 API calls 110243->110250 110251 8ea09d RegOpenKeyExW 110243->110251 110252 8e989d 5 API calls 110243->110252 110253 3beb9bfc RegOpenKeyExW 110243->110253 110254 3bd653ce 5 API calls 110243->110254 110255 8e6895 18 API calls 110243->110255 110256 3bd7a3ca 7 API calls 110243->110256 110257 8f6891 2 API calls 110243->110257 110258 89f8a9 4 API calls 110243->110258 110259 8f68ae CreateFileW 110243->110259 110260 8f40ab 12 API calls 110243->110260 110261 8ea0ab RegOpenKeyExW 110243->110261 110262 3bebfbcc 11 API calls 110243->110262 110263 8e90a9 6 API calls 110243->110263 110264 3bebf3c3 15 API calls 110243->110264 110265 8ed8a6 33 API calls 110243->110265 110266 89b8a3 CreateProcessW 110243->110266 110267 8f48a0 8 API calls 110243->110267 110268 3bd793e5 3 API calls 110243->110268 110269 8e68ba 17 API calls 110243->110269 110270 8e40b6 LoadLibraryW 110243->110270 110271 3beb9bd2 RegOpenKeyExW 110243->110271 110272 8ea0b4 RegOpenKeyExW 110243->110272 110273 8e98b2 5 API calls 110243->110273 110274 3bebdbab 27 API calls 110243->110274 110275 3beb7ba9 2 API calls 110243->110275 110276 3beb9ba0 RegOpenKeyExW 110243->110276 110277 8e98c0 5 API calls 110243->110277 110278 3bd65b99 2 API calls 110243->110278 110279 8ee8d3 30 API calls 110243->110279 110280 8ef0d1 22 API calls 110243->110280 110281 89b8e9 CreateProcessW 110243->110281 110282 8ee8e6 30 API calls 110243->110282 110283 3bebeb80 24 API calls 110243->110283 110284 8e88ff 14 API calls 110243->110284 110285 89b8fd CreateProcessW 110243->110285 110286 8f48f8 5 API calls 110243->110286 110287 8ee8f0 31 API calls 110243->110287 110288 8f500d 3 API calls 110243->110288 110289 8ed008 38 API calls 110243->110289 110290 3bebdb7b 27 API calls 110243->110290 110291 3bd65344 5 API calls 110243->110291 110292 89f81c 4 API calls 110243->110292 110293 3beb7b73 2 API calls 110243->110293 110294 3bec5376 ReadFile 110243->110294 110295 8f4813 8 API calls 110243->110295 110296 3bd7a371 7 API calls 110243->110296 110297 8f5829 ReadFile 110243->110297 110298 3bebdb42 27 API calls 110243->110298 110299 8ee025 33 API calls 110243->110299 110300 8f4035 12 API calls 110243->110300 110301 3bec3356 10 API calls 110243->110301 110302 8f4030 12 API calls 110243->110302 110303 8ed04a 35 API calls 110243->110303 110304 3bd7a31b 7 API calls 110243->110304 110305 8ef05f 22 API calls 110243->110305 110306 8e405b 5 API calls 110243->110306 110307 8e7854 CreateDirectoryW 110243->110307 110308 8ef054 22 API calls 110243->110308 110309 3bebfb36 11 API calls 110243->110309 110310 8f506c 3 API calls 110243->110310 110311 8ea07c RegOpenKeyExW 110243->110311 110312 8f587c ReadFile 110243->110312 110313 3beb7b1e 2 API calls 110243->110313 110314 8f5078 3 API calls 110243->110314 110315 3bd65b28 VirtualAlloc 110243->110315 110316 3beb72ee 9 API calls 110243->110316 110317 8e419e 2 API calls 110243->110317 110318 8f499c 4 API calls 110243->110318 110319 8a9199 3 API calls 110243->110319 110320 89b99e CreateProcessW 110243->110320 110321 3bd652ce 12 API calls 110243->110321 110322 3bd6b2cc CreateProcessW 110243->110322 110323 8e9991 5 API calls 110243->110323 110324 8969a9 2 API calls 110243->110324 110325 3bebe2cf 26 API calls 110243->110325 110326 8af9ae ReadProcessMemory 110243->110326 110327 8ed1ab 36 API calls 110243->110327 110328 8e41a9 2 API calls 110243->110328 110329 3bec2ac4 10 API calls 110243->110329 110330 8ed9a7 33 API calls 110243->110330 110331 3bebeac6 24 API calls 110243->110331 110332 8f39a0 15 API calls 110243->110332 110333 3bec2adb 10 API calls 110243->110333 110334 3bd65ae1 3 API calls 110243->110334 110335 8e71b6 CreateDirectoryW 110243->110335 110336 8959b0 4 API calls 110243->110336 110337 3bd65aec 3 API calls 110243->110337 110338 8e79b5 3 API calls 110243->110338 110339 3beb72d7 9 API calls 110243->110339 110340 8e71b1 CreateDirectoryW 110243->110340 110341 3beb7aab 2 API calls 110243->110341 110342 8a31c9 3 API calls 110243->110342 110343 8e89c8 11 API calls 110243->110343 110344 3beb72a2 11 API calls 110243->110344 110345 8e71c0 CreateDirectoryW 110243->110345 110346 8e89df 11 API calls 110243->110346 110347 8ee9dd 31 API calls 110243->110347 110348 3bebe2bc 26 API calls 110243->110348 110349 8e79ee 3 API calls 110243->110349 110350 8969ea 2 API calls 110243->110350 110351 3bd6b2b2 CreateProcessW 110243->110351 110352 8e41e6 LoadLibraryW 110243->110352 110353 8f51e4 2 API calls 110243->110353 110354 8f39e1 14 API calls 110243->110354 110355 8959f9 VirtualAlloc 110243->110355 110356 8e79ff 3 API calls 110243->110356 110357 89a9fc CreateProcessW 110243->110357 110358 8e41f4 LoadLibraryW 110243->110358 110359 8f39f4 13 API calls 110243->110359 110360 3bd6b2ad CreateProcessW 110243->110360 110361 3beb7a94 2 API calls 110243->110361 110362 8f490f 4 API calls 110243->110362 110363 8f590e ReadFile 110243->110363 110364 3bebda68 27 API calls 110243->110364 110365 3bec3a68 10 API calls 110243->110365 110366 89e90c 4 API calls 110243->110366 110367 8a1103 Wow64GetThreadContext 110243->110367 110368 8f4106 12 API calls 110243->110368 110369 3beb7261 12 API calls 110243->110369 110370 3bec5267 ReadFile 110243->110370 110371 8e4119 4 API calls 110243->110371 110372 898911 2 API calls 110243->110372 110373 89b913 CreateProcessW 110243->110373 110374 3beb7276 11 API calls 110243->110374 110375 8e8910 14 API calls 110243->110375 110376 8ed92d 33 API calls 110243->110376 110377 8e512b 6 API calls 110243->110377 110378 3bebe24c 26 API calls 110243->110378 110379 3bd6b271 2 API calls 110243->110379 110380 8e9126 6 API calls 110243->110380 110381 8ed126 37 API calls 110243->110381 110382 8e6924 CreateDirectoryW 110243->110382 110383 3bebfa44 14 API calls 110243->110383 110384 8ed13f 36 API calls 110243->110384 110385 8e693b CreateDirectoryW 110243->110385 110386 3bd8326e Wow64SetThreadContext 110243->110386 110387 3bec5254 ReadFile 110243->110387 110388 8f3936 13 API calls 110243->110388 110389 3bebe251 26 API calls 110243->110389 110390 3bd66a6a VirtualAlloc 110243->110390 110391 8f594e ReadFile 110243->110391 110392 3bebb229 ReadFile 110243->110392 110393 8e894a 11 API calls 110243->110393 110394 8ec143 RegSetValueExW 110243->110394 110395 3bebda3b 27 API calls 110243->110395 110396 3bebea3e 25 API calls 110243->110396 110397 3bec3a3b 10 API calls 110243->110397 110398 8e4155 2 API calls 110243->110398 110399 8e9955 6 API calls 110243->110399 110400 8e8952 11 API calls 110243->110400 110401 3bec3a30 10 API calls 110243->110401 110402 8f3968 13 API calls 110243->110402 110403 3bd6323c VirtualProtectEx 110243->110403 110404 89f962 5 API calls 110243->110404 110405 8f5160 2 API calls 110243->110405 110406 8b397d Wow64SetThreadContext 110243->110406 110407 8ed179 36 API calls 110243->110407 110408 8e4174 LoadLibraryW 110243->110408 110409 3bec3a16 10 API calls 110243->110409 110410 3bd6aa2d CreateProcessW 110243->110410 110411 3bebea14 25 API calls 110243->110411 110412 3bd6b9d6 CreateProcessW 110243->110412 110413 8f8a85 10 API calls 110243->110413 110414 3bec39e1 11 API calls 110243->110414 110415 8e9a9f 5 API calls 110243->110415 110416 8e3a9a 5 API calls 110243->110416 110417 3bec39f4 10 API calls 110243->110417 110418 8e7a94 2 API calls 110243->110418 110419 8f5293 ReadFile 110243->110419 110420 8ef292 22 API calls 110243->110420 110421 3bd731c9 3 API calls 110243->110421 110422 8e8aac 12 API calls 110243->110422 110423 89b2ad CreateProcessW 110243->110423 110424 8e7aab 2 API calls 110243->110424 110425 8f9aaa WriteFile 110243->110425 110426 8f42a6 13 API calls 110243->110426 110427 3bd6a9fc CreateProcessW 110243->110427 110428 3beb71c0 CreateDirectoryW 110243->110428 110429 8e72a2 12 API calls 110243->110429 110430 3bd659f9 VirtualAlloc 110243->110430 110431 8ee2bc 32 API calls 110243->110431 110432 3bebe9dd 25 API calls 110243->110432 110433 89b2b2 CreateProcessW 110243->110433 110434 3bd669ea 2 API calls 110243->110434 110435 3bebd1ab 30 API calls 110243->110435 110436 8ee2cf 32 API calls 110243->110436 110437 89b2cc CreateProcessW 110243->110437 110438 8952ce 13 API calls 110243->110438 110439 8eeac6 30 API calls 110243->110439 110440 8f2ac4 13 API calls 110243->110440 110441 3bebd9a7 27 API calls 110243->110441 110442 3bec39a0 12 API calls 110243->110442 110443 8ef2c3 21 API calls 110243->110443 110444 3bd79199 3 API calls 110243->110444 110445 8e42c1 2 API calls 110243->110445 110446 8f2adb 13 API calls 110243->110446 110447 8e72d7 9 API calls 110243->110447 110448 8f42d6 12 API calls 110243->110448 110449 3beb71b1 CreateDirectoryW 110243->110449 110450 3beb71b6 CreateDirectoryW 110243->110450 110451 3beb79b5 3 API calls 110243->110451 110452 8f42d0 12 API calls 110243->110452 110453 8e72ee 9 API calls 110243->110453 110454 895aec 3 API calls 110243->110454 110455 3bd659b0 4 API calls 110243->110455 110456 895ae1 3 API calls 110243->110456 110457 3bec499c 2 API calls 110243->110457 110458 3bd7f9ae 12 API calls 110243->110458 110459 3bd669a9 2 API calls 110243->110459 110460 3bec3968 10 API calls 110243->110460 110461 3bebd179 30 API calls 110243->110461 110462 8f3a16 13 API calls 110243->110462 110463 8eea14 31 API calls 110243->110463 110464 8e3a14 5 API calls 110243->110464 110465 3bec594e ReadFile 110243->110465 110466 8e7a2d 3 API calls 110243->110466 110467 3bd7a974 3 API calls 110243->110467 110468 8e422a 2 API calls 110243->110468 110469 89aa2d CreateProcessW 110243->110469 110470 8e9a2b 5 API calls 110243->110470 110471 8f9a2a 2 API calls 110243->110471 110472 3bd8397d Wow64SetThreadContext 110243->110472 110473 8eb229 ReadFile 110243->110473 110474 3bebc143 RegSetValueExW 110243->110474 110475 8eea3e 31 API calls 110243->110475 110476 8ada38 WriteProcessMemory 110243->110476 110477 3bd7a164 8 API calls 110243->110477 110478 8f3a3b 13 API calls 110243->110478 110479 8eda3b 33 API calls 110243->110479 110480 3bd82964 7 API calls 110243->110480 110481 8ef230 21 API calls 110243->110481 110482 8f3a30 13 API calls 110243->110482 110483 8ee24c 32 API calls 110243->110483 110484 3bd6b913 CreateProcessW 110243->110484 110485 3bebd92d 27 API calls 110243->110485 110486 3bd68911 2 API calls 110243->110486 110487 8f5245 2 API calls 110243->110487 110488 8efa44 18 API calls 110243->110488 110489 3beb6924 CreateDirectoryW 110243->110489 110490 3beb693b CreateDirectoryW 110243->110490 110491 3bebd13f 30 API calls 110243->110491 110492 3bd71103 Wow64GetThreadContext 110243->110492 110493 3bec3936 10 API calls 110243->110493 110494 8f5254 ReadFile 110243->110494 110495 8ee251 32 API calls 110243->110495 110496 3bec590e ReadFile 110243->110496 110497 3bec490f 2 API calls 110243->110497 110498 896a6a VirtualAlloc 110243->110498 110499 8b326e Wow64SetThreadContext 110243->110499 110500 8eda68 33 API calls 110243->110500 110501 8f3a68 13 API calls 110243->110501 110502 8f5267 ReadFile 110243->110502 110503 8e7261 13 API calls 110243->110503 110504 8e427b 2 API calls 110243->110504 110505 89b271 2 API calls 110243->110505 110506 8e7276 12 API calls 110243->110506 110507 8f438c 12 API calls 110243->110507 110508 8f8b84 17 API calls 110243->110508 110509 3bebe8e6 24 API calls 110243->110509 110510 8eeb80 30 API calls 110243->110510 110511 895b99 2 API calls 110243->110511 110512 8e839d 15 API calls 110243->110512 110513 3bec48f8 3 API calls 110243->110513 110514 3bebe8f0 25 API calls 110243->110514 110515 8f8b94 16 API calls 110243->110515 110516 8e6baa 15 API calls 110243->110516 110517 8edbab 33 API calls 110243->110517 110518 8e7ba9 2 API calls 110243->110518 110519 3bd6b8fd CreateProcessW 110243->110519 110520 8e9ba0 RegOpenKeyExW 110243->110520 110521 8f8bbf 11 API calls 110243->110521 110522 3bebe8d3 24 API calls 110243->110522 110523 3bebf0d1 16 API calls 110243->110523 110524 3bd6b8e9 CreateProcessW 110243->110524 110525 3beba0ab RegOpenKeyExW 110243->110525 110526 3bec68ae CreateFileW 110243->110526 110527 8efbcc 15 API calls 110243->110527 110528 8e73cd 11 API calls 110243->110528 110529 8953ce 5 API calls 110243->110529 110530 3bec48a0 7 API calls 110243->110530 110531 8e3bc2 5 API calls 110243->110531 110532 3bebd8a6 27 API calls 110243->110532 110533 8f4bc2 4 API calls 110243->110533 110534 8ef3c3 19 API calls 110243->110534 110535 8e6bde 15 API calls 110243->110535 110536 3beb68ba 15 API calls 110243->110536 110537 8e9bd2 RegOpenKeyExW 110243->110537 110538 3bd70888 Wow64GetThreadContext 110243->110538 110539 3beba0b4 RegOpenKeyExW 110243->110539 110540 8f83ef 20 API calls 110243->110540 110541 8edbec 33 API calls 110243->110541 110542 3bd798b3 VirtualProtectEx 110243->110542 110543 3bebd08c 31 API calls 110243->110543 110544 3bec4884 7 API calls 110243->110544 110545 8efbe4 18 API calls 110243->110545 110546 8e7be1 2 API calls 110243->110546 110547 8a93e5 3 API calls 110243->110547 110548 8f8be0 10 API calls 110243->110548 110549 8e9bfc RegOpenKeyExW 110243->110549 110550 3beb789f 3 API calls 110243->110550 110551 3bd6b8a3 CreateProcessW 110243->110551 110552 3beba09d RegOpenKeyExW 110243->110552 110553 3bec6891 2 API calls 110243->110553 110554 8ef30d 21 API calls 110243->110554 110555 3bec587c ReadFile 110243->110555 110556 8e7b1e 2 API calls 110243->110556 110557 8e6b1c 16 API calls 110243->110557 110558 3beba07c RegOpenKeyExW 110243->110558 110559 3bebd04a 29 API calls 110243->110559 110560 895b28 VirtualAlloc 110243->110560 110561 8ef326 20 API calls 110243->110561 110562 3bebf05f 16 API calls 110243->110562 110563 8f8337 22 API calls 110243->110563 110564 8efb36 15 API calls 110243->110564 110565 3bebf054 16 API calls 110243->110565 110566 3beb7854 CreateDirectoryW 110243->110566 110567 3bec5829 ReadFile 110243->110567 110568 8e8348 17 API calls 110243->110568 110569 8edb42 33 API calls 110243->110569 110570 8e3b42 5 API calls 110243->110570 110571 895344 5 API calls 110243->110571 110572 3bebe025 27 API calls 110243->110572 110573 8f3356 13 API calls 110243->110573 110574 3bebd008 32 API calls 110243->110574 110575 8e3b65 5 API calls 110243->110575 110576 8edb7b 33 API calls 110243->110576 110577 8f5376 ReadFile 110243->110577 110578 8e7b73 2 API calls 110243->110578 110579 3bec4813 7 API calls 110243->110579 110580 8e648f 19 API calls 110243->110580 110581 3bec57ee ReadFile 110243->110581 110582 8f848b 20 API calls 110243->110582 110583 8f4c85 2 API calls 110243->110583 110584 3beb77fa 5 API calls 110243->110584 110585 8efc96 16 API calls 110243->110585 110586 8e7c97 CreateDirectoryW 110243->110586 110587 8f4c96 2 API calls 110243->110587 110588 895c97 2 API calls 110243->110588 110589 8b3ca8 2 API calls 110243->110589 110590 8e7ca9 CreateDirectoryW 110243->110590 110591 8f54a5 ReadFile 110243->110591 110592 3bebefc7 17 API calls 110243->110592 110593 3bd797f9 2 API calls 110243->110593 110594 3beb67dc 16 API calls 110243->110594 110595 8954b0 8 API calls 110243->110595 110596 8ed4b1 35 API calls 110243->110596 110597 3bd79793 4 API calls 110243->110597 110598 8e9cd9 RegOpenKeyExW 110243->110598 110599 3bd83783 3 API calls 110243->110599 110600 3bd77789 VirtualAllocEx 110243->110600 110601 8ecce9 33 API calls 110243->110601 110602 8a94f9 VirtualProtectEx 110243->110602 110603 3beb7798 CreateDirectoryW 110243->110603 110604 3bd797ac 3 API calls 110243->110604 110605 3bd78fa8 4 API calls 110243->110605 110606 8e9c09 RegOpenKeyExW 110243->110606 110607 8e8406 16 API calls 110243->110607 110608 3beb7763 6 API calls 110243->110608 110609 8edc06 33 API calls 110243->110609 110610 891402 LoadLibraryW 110243->110610 110611 8e7c02 2 API calls 110243->110611 110612 895c05 2 API calls 110243->110612 110613 8ecc00 20 API calls 110243->110613 110614 8eec1a 15 API calls 110243->110614 110615 8f541a ReadFile 110243->110615 110616 8f5414 ReadFile 110243->110616 110617 8eec15 15 API calls 110243->110617 110618 8ef413 19 API calls 110243->110618 110619 3bebe74b 25 API calls 110243->110619 110620 8efc27 17 API calls 110243->110620 110621 3bebe740 25 API calls 110243->110621 110622 8e8425 15 API calls 110243->110622 110623 8edc25 33 API calls 110243->110623 110624 8e7420 12 API calls 110243->110624 110625 3bec472c 6 API calls 110243->110625 110626 8edc4e 33 API calls 110243->110626 110627 8f4c42 4 API calls 110243->110627 110628 3bebd725 27 API calls 110243->110628 110629 8ab45a VirtualAlloc 110243->110629 110630 8e8c5c 11 API calls 110243->110630 110631 3beb7738 7 API calls 110243->110631 110632 3bd65702 5 API calls 110243->110632 110633 3bebcf32 32 API calls 110243->110633 110634 8e8c57 11 API calls 110243->110634 110635 8e9455 6 API calls 110243->110635 110636 3bebff36 11 API calls 110243->110636 110637 8e7c50 CreateDirectoryW 110243->110637 110638 3bd65709 5 API calls 110243->110638 110639 89fc68 4 API calls 110243->110639 110640 3bd65737 VirtualAlloc 110243->110640 110641 8efc6b 16 API calls 110243->110641 110642 3beb770c 7 API calls 110243->110642 110643 3beb6701 16 API calls 110243->110643 110644 8e7c65 CreateDirectoryW 110243->110644 110645 3bec4702 7 API calls 110243->110645 110646 895467 8 API calls 110243->110646 110647 3beb771b 7 API calls 110243->110647 110648 3bebe71a 26 API calls 110243->110648 110649 895478 8 API calls 110243->110649 110650 3bebef1d 18 API calls 110243->110650 110651 3beb671c 16 API calls 110243->110651 110652 3bebe711 26 API calls 110243->110652 110653 8edc75 33 API calls 110243->110653 110654 3bebfee8 12 API calls 110243->110654 110655 8e6586 19 API calls 110243->110655 110656 89bd82 CreateProcessW 110243->110656 110657 8f9584 9 API calls 110243->110657 110658 3beb76e4 8 API calls 110243->110658 110659 8e759c 12 API calls 110243->110659 110660 8e7d96 18 API calls 110243->110660 110661 8ed596 34 API calls 110243->110661 110662 3bec56f7 ReadFile 110243->110662 110663 896594 VirtualAlloc 110243->110663 110664 3bd826c6 7 API calls 110243->110664 110665 8e85ae 18 API calls 110243->110665 110666 3bd716f2 Wow64GetThreadContext 110243->110666 110667 3bd666f0 VirtualAlloc 110243->110667 110668 8e3da8 5 API calls 110243->110668 110669 89bdae CreateProcessW 110243->110669 110670 3bebfecc 12 API calls 110243->110670 110671 3bebcec3 32 API calls 110243->110671 110672 8f55a7 ReadFile 110243->110672 110673 3bec46c0 7 API calls 110243->110673 110674 8e85a1 18 API calls 110243->110674 110675 3beb76df 8 API calls 110243->110675 110676 3bec46d9 6 API calls 110243->110676 110677 3bd826e3 7 API calls 110243->110677 110678 8e45b1 LoadLibraryW 110243->110678 110679 3bebeea8 15 API calls 110243->110679 110680 3bd65693 7 API calls 110243->110680 110681 3bebd6a3 27 API calls 110243->110681 110682 8e85c6 18 API calls 110243->110682 110683 8e95c1 RegOpenKeyExW 110243->110683 110684 895dc6 2 API calls 110243->110684 110685 3beb66b8 16 API calls 110243->110685 110686 8ec5dd 36 API calls 110243->110686 110687 8e65db 16 API calls 110243->110687 110688 8955df 7 API calls 110243->110688 110689 3bd7ae80 VirtualAlloc 110243->110689 110690 8ed5d6 34 API calls 110243->110690 110691 3bd7368e 2 API calls 110243->110691 110692 8efdeb 16 API calls 110243->110692 110693 3bec568a ReadFile 110243->110693 110694 8eede7 26 API calls 110243->110694 110695 3bebd685 28 API calls 110243->110695 110696 3bd736a3 ReadProcessMemory 110243->110696 110697 8efdf4 16 API calls 110243->110697 110698 8e95f5 5 API calls 110243->110698 110699 3bec4692 2 API calls 110243->110699 110700 8e75f0 9 API calls 110243->110700 110701 8955f7 7 API calls 110243->110701 110702 8efd0e 16 API calls 110243->110702 110703 3bd6565f 5 API calls 110243->110703 110704 8e8d02 11 API calls 110243->110704 110705 3beb6667 16 API calls 110243->110705 110706 3bd65e5a VirtualAlloc 110243->110706 110707 895505 8 API calls 110243->110707 110708 8e751c 11 API calls 110243->110708 110709 3bebee79 20 API calls 110243->110709 110710 3bd65642 5 API calls 110243->110710 110711 3bd66642 VirtualAlloc 110243->110711 110712 89cd1f ReadProcessMemory 110243->110712 110713 3bebd67c 28 API calls 110243->110713 110714 3bebce7c 32 API calls 110243->110714 110715 3bec3e48 10 API calls 110243->110715 110716 3bec4645 8 API calls 110243->110716 110717 3bec5643 ReadFile 110243->110717 110718 8e953f 6 API calls 110243->110718 110719 3beb765a 10 API calls 110243->110719 110720 8e8d36 2 API calls 110243->110720 110721 8e7d34 19 API calls 110243->110721 110722 8f8d33 13 API calls 110243->110722 110723 3bd66668 VirtualAlloc 110243->110723 110724 3bebfe54 12 API calls 110243->110724 110725 3bebee54 20 API calls 110243->110725 110726 8e8d4c RegOpenKeyExW 110243->110726 110727 3beb762f 11 API calls 110243->110727 110728 3bec562a ReadFile 110243->110728 110729 8f5d47 ReadFile 110243->110729 110730 8ed545 35 API calls 110243->110730 110731 8f5d42 ReadFile 110243->110731 110732 3bd60607 4 API calls 110243->110732 110733 3bebc63e 12 API calls 110243->110733 110734 3bd82602 5 API calls 110243->110734 110735 8f5d53 ReadFile 110243->110735 110736 3bd8263b 8 API calls 110243->110736 110737 8e856a 18 API calls 110243->110737 110738 8ed569 33 API calls 110243->110738 110739 8ee567 32 API calls 110243->110739 110740 8ed564 33 API calls 110243->110740 110741 3bebfe00 12 API calls 110243->110741 110742 8b3d60 Wow64SetThreadContext 110243->110742 110743 896562 2 API calls 110243->110743 110744 3beb661f 15 API calls 110243->110744 110745 8e7d77 19 API calls 110243->110745 110746 8e3d70 5 API calls 110243->110746 110747 8f4570 11 API calls 110243->110747 110748 3bebfdeb 12 API calls 110243->110748 110749 8a368e 2 API calls 110243->110749 110750 8f568a ReadFile 110243->110750 110751 8ed685 34 API calls 110243->110751 110752 3bebede7 20 API calls 110243->110752 110753 3bd65dc6 2 API calls 110243->110753 110754 895693 8 API calls 110243->110754 110755 3beb75f0 9 API calls 110243->110755 110756 8f4692 4 API calls 110243->110756 110757 3bebfdf4 12 API calls 110243->110757 110758 8e86ae 15 API calls 110243->110758 110759 3bd655f7 6 API calls 110243->110759 110760 8f4eab 4 API calls 110243->110760 110761 89f6ac 9 API calls 110243->110761 110762 8eeea8 19 API calls 110243->110762 110763 8a36a3 ReadProcessMemory 110243->110763 110764 3beb95c1 RegOpenKeyExW 110243->110764 110765 8ed6a3 33 API calls 110243->110765 110766 3beb65db 14 API calls 110243->110766 110767 3bebc5dd 30 API calls 110243->110767 110768 8e66b8 18 API calls 110243->110768 110769 3bebd5d6 28 API calls 110243->110769 110770 8efecc 16 API calls 110243->110770 110771 3bd66594 VirtualAlloc 110243->110771 110772 3bec55a7 ReadFile 110243->110772 110773 8ecec3 38 API calls 110243->110773 110774 8f46c0 8 API calls 110243->110774 110775 8e76df 8 API calls 110243->110775 110776 3bd6bd82 CreateProcessW 110243->110776 110777 8f46d9 7 API calls 110243->110777 110778 8e96d0 5 API calls 110243->110778 110779 3bd825b8 10 API calls 110243->110779 110780 8efee8 16 API calls 110243->110780 110781 8f8ee8 11 API calls 110243->110781 110782 8e76e4 8 API calls 110243->110782 110783 8956e3 6 API calls 110243->110783 110784 8e86e2 16 API calls 110243->110784 110785 3beb6586 17 API calls 110243->110785 110786 3beb759c 11 API calls 110243->110786 110787 8a16f2 Wow64GetThreadContext 110243->110787 110788 3bd6bdae CreateProcessW 110243->110788 110789 8e96f6 5 API calls 110243->110789 110790 8f56f7 ReadFile 110243->110790 110791 8f96f6 2 API calls 110243->110791 110792 8966f0 VirtualAlloc 110243->110792 110793 3bebd596 28 API calls 110243->110793 110794 8e86f3 15 API calls 110243->110794 110795 3beb7d96 5 API calls 110243->110795 110796 3bebd569 27 API calls 110243->110796 110797 3bebe567 26 API calls 110243->110797 110798 890607 4 API calls 110243->110798 110799 8efe00 16 API calls 110243->110799 110800 3bebd564 27 API calls 110243->110800 110801 8e661f 17 API calls 110243->110801 110802 8e461c LoadLibraryW 110243->110802 110803 8f8e15 12 API calls 110243->110803 110804 3bec4570 9 API calls 110243->110804 110805 3beb7d77 6 API calls 110243->110805 110806 8e762f 12 API calls 110243->110806 110807 8f462e 11 API calls 110243->110807 110808 8f562a ReadFile 110243->110808 110809 3beb8d4c RegOpenKeyExW 110243->110809 110810 3bec5d47 ReadFile 110243->110810 110811 8f4e24 4 API calls 110243->110811 110812 3bec5d42 ReadFile 110243->110812 110813 8ec63e 16 API calls 110243->110813 110814 3bd7a565 8 API calls 110243->110814 110815 3bd66562 2 API calls 110243->110815 110816 3bd83d60 Wow64SetThreadContext 110243->110816 110817 8e9633 5 API calls 110243->110817 110818 3bec5d53 ReadFile 110243->110818 110819 8f3e48 13 API calls 110243->110819 110820 3bd6cd1f ReadProcessMemory 110243->110820 110821 8f4645 10 API calls 110243->110821 110822 896642 VirtualAlloc 110243->110822 110823 895642 5 API calls 110243->110823 110824 8e8642 18 API calls 110243->110824 110825 8f5643 ReadFile 110243->110825 110826 3bd65505 7 API calls 110243->110826 110827 895e5a VirtualAlloc 110243->110827 110828 8e765a 11 API calls 110243->110828 110829 89565f 5 API calls 110243->110829 110830 8eee54 26 API calls 110243->110830 110831 8efe54 16 API calls 110243->110831 110832 3beb8d36 2 API calls 110243->110832 110833 3beb7d34 6 API calls 110243->110833 110834 896668 VirtualAlloc 110243->110834 110835 3bebfd0e 12 API calls 110243->110835 110836 8e6667 18 API calls 110243->110836 110837 3bd7a525 4 API calls 110243->110837 110838 8ece7c 38 API calls 110243->110838 110839 8ed67c 34 API calls 110243->110839 110840 8eee79 26 API calls 110243->110840 110841 3beb751c 10 API calls 110243->110841 110842 8f4671 9 API calls 110243->110842 110843 8f978f WriteFile 110243->110843 110844 3bebcce9 27 API calls 110243->110844 110845 8a7789 VirtualAllocEx 110243->110845 110846 8b3783 4 API calls 110243->110846 110847 8f4f81 3 API calls 110243->110847 110848 8f9780 2 API calls 110243->110848 110849 8e7798 CreateDirectoryW 110243->110849 110850 8a9793 3 API calls 110243->110850 110851 8e8f90 9 API calls 110243->110851 110852 8a8fa8 4 API calls 110243->110852 110853 8a97ac 2 API calls 110243->110853 110854 3bd794f9 VirtualProtectEx 110243->110854 110855 3beb9cd9 RegOpenKeyExW 110243->110855 110856 3bd65c97 2 API calls 110243->110856 110857 3beb7ca9 CreateDirectoryW 110243->110857 110858 3bec54a5 ReadFile 110243->110858 110859 8eefc7 23 API calls 110243->110859 110860 8e8fdf 6 API calls 110243->110860 110861 8e67dc 18 API calls 110243->110861 110862 8e3fd8 5 API calls 110243->110862 110863 3bebd4b1 29 API calls 110243->110863 110864 8f87d4 WriteFile 110243->110864 110865 8f97d4 3 API calls 110243->110865 110866 8f57ee ReadFile 110243->110866 110867 3beb648f 17 API calls 110243->110867 110868 3bd654b0 7 API calls 110243->110868 110869 8a97f9 VirtualProtectEx 110243->110869 110870 8e77fa 5 API calls 110243->110870 110871 3beb7c97 CreateDirectoryW 110243->110871 110872 3bebfc96 12 API calls 110243->110872 110873 3bebfc6b 12 API calls 110243->110873 110874 895709 5 API calls 110243->110874 110875 8e770c 7 API calls 110243->110875 110876 8f9706 WriteFile 110243->110876 110877 895702 5 API calls 110243->110877 110878 3bd7b45a VirtualAlloc 110243->110878 110879 8f4702 8 API calls 110243->110879 110880 3beb7c65 CreateDirectoryW 110243->110880 110881 8e6701 18 API calls 110243->110881 110882 8e671c 18 API calls 110243->110882 110883 8eef1d 24 API calls 110243->110883 110884 8ee71a 32 API calls 110243->110884 110885 8e771b 7 API calls 110243->110885 110886 8e8f19 9 API calls 110243->110886 110887 3bebdc75 27 API calls 110243->110887 110888 8ee711 32 API calls 110243->110888 110889 8f972f 6 API calls 110243->110889 110890 89f72c 8 API calls 110243->110890 110891 3bebdc4e 27 API calls 110243->110891 110892 8e9726 5 API calls 110243->110892 110893 8eff27 16 API calls 110243->110893 110894 8ed725 33 API calls 110243->110894 110895 3bd65478 7 API calls 110243->110895 110896 3bd65467 7 API calls 110243->110896 110897 8e7738 7 API calls 110243->110897 110898 8eff36 15 API calls 110243->110898 110899 8e9737 5 API calls 110243->110899 110900 3beb7c50 CreateDirectoryW 110243->110900 110901 8ecf32 38 API calls 110243->110901 110902 895737 VirtualAlloc 110243->110902 110903 8ee74b 31 API calls 110243->110903 110904 3bebdc25 27 API calls 110243->110904 110905 8ee740 31 API calls 110243->110905 110906 3bd65c05 2 API calls 110243->110906 110907 8e8751 15 API calls 110243->110907 110908 3beb9c09 RegOpenKeyExW 110243->110908 110909 3beb7c02 2 API calls 110243->110909 110910 8f8f65 10 API calls 110243->110910 110911 3bebdc06 27 API calls 110243->110911 110912 8e7763 6 API calls 110243->110912 110913 3bebec1a 11 API calls 110243->110913 110914 3bec541a ReadFile 110243->110914 110915 3bec5414 ReadFile 110243->110915 110916 3bebf413 15 API calls 110243->110916 110917 3bebec15 11 API calls 110243->110917 110245->110244 110246->110244 110247->110244 110248->110244 110249->110244 110250->110244 110251->110244 110252->110244 110253->110244 110254->110244 110255->110244 110256->110244 110257->110244 110258->110244 110259->110244 110260->110244 110261->110244 110262->110244 110263->110244 110264->110244 110265->110244 110266->110244 110267->110244 110268->110244 110269->110244 110270->110244 110271->110244 110272->110244 110273->110244 110274->110244 110275->110244 110276->110244 110277->110244 110278->110244 110279->110244 110280->110244 110281->110244 110282->110244 110283->110244 110284->110244 110285->110244 110286->110244 110287->110244 110288->110244 110289->110244 110290->110244 110291->110244 110292->110244 110293->110244 110294->110244 110295->110244 110296->110244 110297->110244 110298->110244 110299->110244 110300->110244 110301->110244 110302->110244 110303->110244 110304->110244 110305->110244 110306->110244 110307->110244 110308->110244 110309->110244 110310->110244 110311->110244 110312->110244 110313->110244 110314->110244 110315->110244 110316->110244 110317->110244 110318->110244 110319->110244 110320->110244 110321->110244 110322->110244 110323->110244 110324->110244 110325->110244 110326->110244 110327->110244 110328->110244 110329->110244 110330->110244 110331->110244 110332->110244 110333->110244 110334->110244 110335->110244 110336->110244 110337->110244 110338->110244 110339->110244 110340->110244 110341->110244 110342->110244 110343->110244 110344->110244 110345->110244 110346->110244 110347->110244 110348->110244 110349->110244 110350->110244 110351->110244 110352->110244 110353->110244 110354->110244 110355->110244 110356->110244 110357->110244 110358->110244 110359->110244 110360->110244 110361->110244 110362->110244 110363->110244 110364->110244 110365->110244 110366->110244 110367->110244 110368->110244 110369->110244 110370->110244 110371->110244 110372->110244 110373->110244 110374->110244 110375->110244 110376->110244 110377->110244 110378->110244 110379->110244 110380->110244 110381->110244 110382->110244 110383->110244 110384->110244 110385->110244 110386->110244 110387->110244 110388->110244 110389->110244 110390->110244 110391->110244 110392->110244 110393->110244 110394->110244 110395->110244 110396->110244 110397->110244 110398->110244 110399->110244 110400->110244 110401->110244 110402->110244 110403->110244 110404->110244 110405->110244 110406->110244 110407->110244 110408->110244 110409->110244 110410->110244 110411->110244 110412->110244 110413->110244 110414->110244 110415->110244 110416->110244 110417->110244 110418->110244 110419->110244 110420->110244 110421->110244 110422->110244 110423->110244 110424->110244 110425->110244 110426->110244 110427->110244 110428->110244 110429->110244 110430->110244 110431->110244 110432->110244 110433->110244 110434->110244 110435->110244 110436->110244 110437->110244 110438->110244 110439->110244 110440->110244 110441->110244 110442->110244 110443->110244 110444->110244 110445->110244 110446->110244 110447->110244 110448->110244 110449->110244 110450->110244 110451->110244 110452->110244 110453->110244 110454->110244 110455->110244 110456->110244 110457->110244 110458->110244 110459->110244 110460->110244 110461->110244 110462->110244 110463->110244 110464->110244 110465->110244 110466->110244 110467->110244 110468->110244 110469->110244 110470->110244 110471->110244 110472->110244 110473->110244 110474->110244 110475->110244 110476->110244 110477->110244 110478->110244 110479->110244 110480->110244 110481->110244 110482->110244 110483->110244 110484->110244 110485->110244 110486->110244 110487->110244 110488->110244 110489->110244 110490->110244 110491->110244 110492->110244 110493->110244 110494->110244 110495->110244 110496->110244 110497->110244 110498->110244 110499->110244 110500->110244 110501->110244 110502->110244 110503->110244 110504->110244 110505->110244 110506->110244 110507->110244 110508->110244 110509->110244 110510->110244 110511->110244 110512->110244 110513->110244 110514->110244 110515->110244 110516->110244 110517->110244 110518->110244 110519->110244 110520->110244 110521->110244 110522->110244 110523->110244 110524->110244 110525->110244 110526->110244 110527->110244 110528->110244 110529->110244 110530->110244 110531->110244 110532->110244 110533->110244 110534->110244 110535->110244 110536->110244 110537->110244 110538->110244 110539->110244 110540->110244 110541->110244 110542->110244 110543->110244 110544->110244 110545->110244 110546->110244 110547->110244 110548->110244 110549->110244 110550->110244 110551->110244 110552->110244 110553->110244 110554->110244 110555->110244 110556->110244 110557->110244 110558->110244 110559->110244 110560->110244 110561->110244 110562->110244 110563->110244 110564->110244 110565->110244 110566->110244 110567->110244 110568->110244 110569->110244 110570->110244 110571->110244 110572->110244 110573->110244 110574->110244 110575->110244 110576->110244 110577->110244 110578->110244 110579->110244 110580->110244 110581->110244 110582->110244 110583->110244 110584->110244 110585->110244 110586->110244 110587->110244 110588->110244 110589->110244 110590->110244 110591->110244 110592->110244 110593->110244 110594->110244 110595->110244 110596->110244 110597->110244 110598->110244 110599->110244 110600->110244 110601->110244 110602->110244 110603->110244 110604->110244 110605->110244 110606->110244 110607->110244 110608->110244 110609->110244 110610->110244 110611->110244 110612->110244 110613->110244 110614->110244 110615->110244 110616->110244 110617->110244 110618->110244 110619->110244 110620->110244 110621->110244 110622->110244 110623->110244 110624->110244 110625->110244 110626->110244 110627->110244 110628->110244 110629->110244 110630->110244 110631->110244 110632->110244 110633->110244 110634->110244 110635->110244 110636->110244 110637->110244 110638->110244 110639->110244 110640->110244 110641->110244 110642->110244 110643->110244 110644->110244 110645->110244 110646->110244 110647->110244 110648->110244 110649->110244 110650->110244 110651->110244 110652->110244 110653->110244 110654->110244 110655->110244 110656->110244 110657->110244 110658->110244 110659->110244 110660->110244 110661->110244 110662->110244 110663->110244 110664->110244 110665->110244 110666->110244 110667->110244 110668->110244 110669->110244 110670->110244 110671->110244 110672->110244 110673->110244 110674->110244 110675->110244 110676->110244 110677->110244 110678->110244 110679->110244 110680->110244 110681->110244 110682->110244 110683->110244 110684->110244 110685->110244 110686->110244 110687->110244 110688->110244 110689->110244 110690->110244 110691->110244 110692->110244 110693->110244 110694->110244 110695->110244 110696->110244 110697->110244 110698->110244 110699->110244 110700->110244 110701->110244 110702->110244 110703->110244 110704->110244 110705->110244 110706->110244 110707->110244 110708->110244 110709->110244 110710->110244 110711->110244 110712->110244 110713->110244 110714->110244 110715->110244 110716->110244 110717->110244 110718->110244 110719->110244 110720->110244 110721->110244 110722->110244 110723->110244 110724->110244 110725->110244 110726->110244 110727->110244 110728->110244 110729->110244 110730->110244 110731->110244 110732->110244 110733->110244 110734->110244 110735->110244 110736->110244 110737->110244 110738->110244 110739->110244 110740->110244 110741->110244 110742->110244 110743->110244 110744->110244 110745->110244 110746->110244 110747->110244 110748->110244 110749->110244 110750->110244 110751->110244 110752->110244 110753->110244 110754->110244 110755->110244 110756->110244 110757->110244 110758->110244 110759->110244 110760->110244 110761->110244 110762->110244 110763->110244 110764->110244 110765->110244 110766->110244 110767->110244 110768->110244 110769->110244 110770->110244 110771->110244 110772->110244 110773->110244 110774->110244 110775->110244 110776->110244 110777->110244 110778->110244 110779->110244 110780->110244 110781->110244 110782->110244 110783->110244 110784->110244 110785->110244 110786->110244 110787->110244 110788->110244 110789->110244 110790->110244 110791->110244 110792->110244 110793->110244 110794->110244 110795->110244 110796->110244 110797->110244 110798->110244 110799->110244 110800->110244 110801->110244 110802->110244 110803->110244 110804->110244 110805->110244 110806->110244 110807->110244 110808->110244 110809->110244 110810->110244 110811->110244 110812->110244 110813->110244 110814->110244 110815->110244 110816->110244 110817->110244 110818->110244 110819->110244 110820->110244 110821->110244 110822->110244 110823->110244 110824->110244 110825->110244 110826->110244 110827->110244 110828->110244 110829->110244 110830->110244 110831->110244 110832->110244 110833->110244 110834->110244 110835->110244 110836->110244 110837->110244 110838->110244 110839->110244 110840->110244 110841->110244 110842->110244 110843->110244 110844->110244 110845->110244 110846->110244 110847->110244 110848->110244 110849->110244 110850->110244 110851->110244 110852->110244 110853->110244 110854->110244 110855->110244 110856->110244 110857->110244 110858->110244 110859->110244 110860->110244 110861->110244 110862->110244 110863->110244 110864->110244 110865->110244 110866->110244 110867->110244 110868->110244 110869->110244 110870->110244 110871->110244 110872->110244 110873->110244 110874->110244 110875->110244 110876->110244 110877->110244 110878->110244 110879->110244 110880->110244 110881->110244 110882->110244 110883->110244 110884->110244 110885->110244 110886->110244 110887->110244 110888->110244 110889->110244 110890->110244 110891->110244 110892->110244 110893->110244 110894->110244 110895->110244 110896->110244 110897->110244 110898->110244 110899->110244 110900->110244 110901->110244 110902->110244 110903->110244 110904->110244 110905->110244 110906->110244 110907->110244 110908->110244 110909->110244 110910->110244 110911->110244 110912->110244 110913->110244 110914->110244 110915->110244 110916->110244 110917->110244 110919 8e6571 110918->110919 110926 8e6530 110918->110926 110948 3bebf416 110947->110948 110968 3bebec1e CreateFileW 110967->110968 110978 3bec575e 110977->110978 110982 3bec541d 110981->110982 110986 8e77bf 110985->110986 110987 8e777c 110985->110987 110999 3bebec1e CreateFileW 110998->110999 111009 8f8f73 111008->111009 111019 3bebdc0a CloseHandle 111018->111019 111025 3beb9c0e RegOpenKeyExW 111024->111025 111029 3beb7c0f 111028->111029 111036 3bd65c14 111034->111036 111041 8e8752 111040->111041 111059 3bebdc53 CloseHandle 111058->111059 111066 8ee751 111064->111066 111096 896ae4 VirtualAlloc 111095->111096 111100 8ee751 111098->111100 111130 3beb7c7f CreateDirectoryW 111129->111130 111134 8ecf38 111133->111134 111149 8eff60 CreateFileW 111148->111149 111158 8e973e 111157->111158 111172 3bd6540b 111171->111172 111190 8e773b 111189->111190 111206 8eda5d 111205->111206 111212 3bd6540b 111211->111212 111230 8e973e 111229->111230 111244 8eff2a 111243->111244 111256 89f738 111254->111256 111267 3bebdc68 CloseHandle 111266->111267 111273 8ee717 111272->111273 111306 8f97a4 111305->111306 111307 8f9761 111305->111307 111316 8e8f94 111315->111316 111341 3bebe07e CloseHandle 111340->111341 111347 8ee740 31 API calls 111346->111347 111349 8ee738 111346->111349 111347->111349 111379 8e771c 111378->111379 111395 8e6699 111394->111395 111421 8eef99 111420->111421 111424 8eef56 111420->111424 111443 3beb7c7f CreateDirectoryW 111442->111443 111447 8e6699 111446->111447 111638 8f9b83 WriteFile 111637->111638 111643 8f97df 111640->111643 111647 8e405b 5 API calls 111646->111647 111648 8e4051 111646->111648 111647->111648 111650 3bebd4d4 111649->111650 111662 8e952b 111661->111662 111680 8e67e2 111679->111680 111706 3bec54ac 111705->111706 111710 8ef022 111709->111710 111712 8eefdf 111709->111712 111739 3bd65c9b 111738->111739 111745 3beb7cad CreateDirectoryW 111744->111745 111749 3bd79503 111748->111749 111753 3beba0d5 RegOpenKeyExW 111752->111753 111759 8a9025 111756->111759 111766 8a97f9 VirtualProtectEx 111765->111766 111767 8a97ef 111765->111767 111766->111767 111771 8a97ac 2 API calls 111770->111771 111778 8e900c 111777->111778 111779 8e8fc9 111777->111779 111802 8f978f WriteFile 111801->111802 111807 8e7cd9 CreateDirectoryW 111806->111807 111813 8b378b 111810->111813 111822 8f4fb1 111821->111822 111830 3bebe08a CloseHandle 111829->111830 111835 8a77ba VirtualAllocEx 111834->111835 111839 8f467a 111838->111839 111860 8f9b77 WriteFile 111859->111860 111864 8eee7c 111863->111864 111890 3beb752e 111888->111890 111919 8ecec6 111918->111919 111934 8ed681 111933->111934 111942 8e6699 111941->111942 111971 3bd7a5d4 111967->111971 111980 89666a VirtualAlloc 111979->111980 111984 3bebfd12 111983->111984 111998 3beb8d4c RegOpenKeyExW 111997->111998 112003 3beb7d3e 112002->112003 112013 8eee57 112012->112013 112040 8efd9c 112037->112040 112049 8e73ab 112048->112049 112057 8e7513 112048->112057 112049->112057 112073 895718 112072->112073 112082 3bd6540b 112081->112082 112100 895e8c 112099->112100 112104 8e866b 112103->112104 112127 8f5646 112126->112127 112131 89666a VirtualAlloc 112130->112131 112135 895666 112134->112135 112144 3bd736b8 ReadProcessMemory 112143->112144 112148 8f4664 112147->112148 112156 8f4689 112147->112156 112171 3bec5d59 ReadFile 112170->112171 112175 8f3e6b VirtualAlloc 112174->112175 112182 3bd83d83 Wow64SetThreadContext 112181->112182 112186 8e9637 112185->112186 112207 3bd7a598 112199->112207 112211 3bd7a2b2 112199->112211 112211->112207 112218 3bd665be 112216->112218 112219 3bd6657b 112216->112219 112218->112219 112223 3bec5d59 ReadFile 112222->112223 112229 8efd9c 112226->112229 112238 3bec5d59 ReadFile 112237->112238 112242 8f4e28 112241->112242 112254 8f5646 112253->112254 112258 3beba0e1 RegOpenKeyExW 112257->112258 112261 8e7635 112260->112261 112287 8f4635 112286->112287 112301 3bec45d6 112300->112301 112302 3bec4617 112300->112302 112317 3beb7d7a 112316->112317 112327 8e4628 LoadLibraryW 112326->112327 112332 8f8daa 112329->112332 112346 3bebd56d CloseHandle 112345->112346 112352 8e666b 112351->112352 112378 89f77b VirtualAlloc 112377->112378 112386 8efd9c 112383->112386 112395 3bebe08a CloseHandle 112394->112395 112400 3bebe616 112399->112400 112436 8e8711 112435->112436 112454 3beb7da6 CreateDirectoryW 112453->112454 112462 896ad8 VirtualAlloc 112461->112462 112466 3bebd59c 112465->112466 112474 8f5451 112473->112474 112653 3bd825c4 112652->112653 112674 3bd6bd87 112673->112674 112683 8f46b1 112677->112683 112697 8f46d9 7 API calls 112696->112697 112717 8e76e9 112716->112717 112735 3bec55ad 112734->112735 112739 8ecf38 112738->112739 112754 8efed0 112753->112754 112765 3bd66ad8 VirtualAlloc 112764->112765 112769 8e6699 112768->112769 112795 3bebd605 112794->112795 112803 3beb65ef 112802->112803 112829 3bebd196 112828->112829 112845 3beba0e1 RegOpenKeyExW 112844->112845 112848 8eda5d 112847->112848 112854 8ef3fa 112853->112854 112873 8a3bd2 ReadProcessMemory 112872->112873 112876 8f4eba 112875->112876 112888 89f72c 8 API calls 112887->112888 112901 8e875d 112900->112901 112925 3bd6540b 112918->112925 112940 8f49be 112936->112940 112949 3bebfd9c 112948->112949 112963 8956dc 112962->112963 112971 89540b 112962->112971 112971->112963 112977 3beb75f7 112976->112977 112999 3bebee57 112998->112999 113023 3bd65d0b 113022->113023 113029 8f575e 113028->113029 113033 8ed689 113032->113033 113041 3bebfd9c 113040->113041 113055 8a36a3 ReadProcessMemory 113054->113055 113060 8e3d98 113059->113060 113061 8e3d88 113059->113061 113061->113060 113070 8f4617 113069->113070 113075 8f45d6 113069->113075 113088 3beb666b 113083->113088 113114 8e7d7a 113113->113114 113124 8b3d83 Wow64SetThreadContext 113123->113124 113128 8965be 113127->113128 113129 89657b 113127->113129 113128->113129 113134 8ed56d CloseHandle 113133->113134 113140 3bebfd9c 113139->113140 113154 8ee08a CloseHandle 113153->113154 113159 8ee616 113158->113159 113200 3bd82646 113191->113200 113212 8e85a4 113211->113212 113236 3bd829c2 113235->113236 113252 8f5d59 ReadFile 113251->113252 113256 3bd6f77b VirtualAlloc 113255->113256 113262 3bebfd9c 113261->113262 113276 8ed564 33 API calls 113275->113276 113277 8ed55c 113275->113277 113276->113277 113285 8f5d59 ReadFile 113284->113285 113289 3bec5646 113288->113289 113293 8f5d59 ReadFile 113292->113293 113297 8ea0e1 RegOpenKeyExW 113296->113297 113300 3beb7635 113299->113300 113330 3bebfd9c 113329->113330 113344 3bebee57 113343->113344 113369 8f8d40 113367->113369 113384 3bd6666a VirtualAlloc 113383->113384 113388 8e8d4c RegOpenKeyExW 113387->113388 113393 8e7d3e 113392->113393 113403 8e958f 113402->113403 113421 3beb767c 113420->113421 113422 3beb766c 113420->113422 113422->113421 113449 3bec4664 113448->113449 113459 3bec46a5 113448->113459 113475 3bec5646 113474->113475 113479 3bebcec6 113478->113479 113498 3bec3e6b VirtualAlloc 113497->113498 113668 3bd65718 113667->113668 113677 8e75f7 113676->113677 113707 89540b 113696->113707 113711 8e95e1 113710->113711 113725 3bec49be 113724->113725 113738 3bd73bd2 ReadProcessMemory 113737->113738 113743 8efd9c 113740->113743 113752 8eee57 113751->113752 113777 3bebd689 113776->113777 113787 8efd9c 113784->113787 113796 3bec575e 113795->113796 113800 8ed605 113799->113800 113808 3bd736a3 ReadProcessMemory 113807->113808 113813 8955f7 6 API calls 113812->113813 113821 89540b 113812->113821 113813->113821 113828 3bd7b9a1 VirtualAlloc 113827->113828 113831 8ed196 113830->113831 113844 8e65ef 113842->113844 113867 895d0b 113866->113867 113875 3beb6699 113872->113875 113903 8e8677 113902->113903 113926 8ea0e1 RegOpenKeyExW 113925->113926 113929 3bd656dc 113928->113929 113932 3bd6540b 113928->113932 113932->113929 113947 3bebda5d 113946->113947 113953 8e45ea 113952->113953 113957 3bebf3fa 113956->113957 113985 3bec46b1 113976->113985 113999 3bd826b5 113997->113999 114018 8e85a4 114017->114018 114042 3beb76e9 114041->114042 114062 8f55ad 114061->114062 114066 3bec46d9 6 API calls 114065->114066 114073 3bec46b1 114065->114073 114066->114073 114088 3bebfed0 114087->114088 114102 3bebcf38 114101->114102 114121 8e3dd4 114120->114121 114125 89bdb2 CreateProcessW 114124->114125 114129 3bd7170c Wow64GetThreadContext 114128->114129 114133 3bd66ad8 VirtualAlloc 114132->114133 114137 3bd826e3 6 API calls 114136->114137 114157 8e85c4 114156->114157 114181 3bec5451 114180->114181 114185 896ad8 VirtualAlloc 114184->114185 114189 8e7da6 CreateDirectoryW 114188->114189 114197 8ed59c 114196->114197 114205 3beb770c 7 API calls 114204->114205 114206 3beb7703 114204->114206 114205->114206 114224 8e75b0 114223->114224 114250 89bd87 114249->114250 114254 8f965d 114253->114254 114268 8f961a WriteFile 114253->114268 114254->114268 114270 3bebfeea 114269->114270 114284 8e65be 114283->114284 114285 8e65ff 114283->114285 114312 3bebe717 114311->114312 114348 8ee07e CloseHandle 114347->114348 114354 3bebef99 114353->114354 114356 3bebef56 114353->114356 114377 3beb6699 114376->114377 114407 3bebe740 25 API calls 114406->114407 114408 3bebe738 114406->114408 114407->114408 114443 89540b 114441->114443 114457 89540b 114455->114457 114470 3beb771c 114469->114470 114488 8e7c7f CreateDirectoryW 114487->114488 114492 3bec472c 6 API calls 114491->114492 114493 3bec46b1 114491->114493 114492->114493 114514 3beb771c 114513->114514 114709 3beb773b 114708->114709 114727 3bebda5d 114726->114727 114733 8ab995 VirtualAlloc 114732->114733 114736 8edc68 CloseHandle 114735->114736 114743 8f4c48 114741->114743 114754 8e7423 114753->114754 114783 3bec46b1 114775->114783 114783->114775 114797 8e875d 114796->114797 114815 8edc53 CloseHandle 114814->114815 114821 8efc63 CreateFileW 114820->114821 114822 8efc6b 16 API calls 114820->114822 114822->114821 114831 3bebe751 114830->114831 114865 8ef416 114864->114865 114884 3bebe751 114883->114884 114918 8f541d 114917->114918 114922 8eec1e CreateFileW 114921->114922 114931 8eec1e CreateFileW 114930->114931 114940 8f575e 114939->114940 114944 895c14 114943->114944 114950 8f87b3 114949->114950 114968 891418 LoadLibraryW 114967->114968 114973 8e7c0f 114972->114973 114979 3beb77bf 114978->114979 114980 3beb777c 114978->114980 114994 8edc0a CloseHandle 114993->114994 115000 8e9c0e RegOpenKeyExW 114999->115000 115004 8e840e 115003->115004 115007 8e846a 115003->115007 115007->109568 115019 3bd797f9 2 API calls 115018->115019 115022 3bd797ef 115018->115022 115019->115022 115026 3bd79025 115025->115026 115037 8a9503 115034->115037 115039 3beb7cd9 CreateDirectoryW 115038->115039 115043 3bd777ba VirtualAllocEx 115042->115043 115047 8ee08a CloseHandle 115046->115047 115052 8ea0d5 RegOpenKeyExW 115051->115052 115056 3bd8378b 115055->115056 115068 8ed4d4 115067->115068 115078 3bd797ac 3 API calls 115077->115078 115087 3beb67e2 115086->115087 115117 89540b 115116->115117 115131 3bebf022 115130->115131 115134 3bebefdf 115130->115134 115164 3bd79841 115162->115164 115169 8e7cad CreateDirectoryW 115168->115169 115173 8f54ac 115172->115173 115177 895c9b 115176->115177 115184 8b3ce1 115182->115184 115190 8e7cad CreateDirectoryW 115189->115190 115194 8f4c9d 115193->115194 115200 3beb77fe 115199->115200 115216 8efca5 115212->115216 115224 8f87b7 115223->115224 115245 8f4c88 115241->115245 115248 8f8fcd 115247->115248 115258 3bec57f4 ReadFile 115257->115258 115263 8e7abb 115261->115263 115275 3bec46b1 115267->115275 115289 8ee07e CloseHandle 115288->115289 115295 8f575e 115294->115295 115299 3bebd00e 115298->115299 115318 8e3bc2 5 API calls 115317->115318 115319 8e3b55 115317->115319 115318->115319 115328 3bebe07e CloseHandle 115327->115328 115334 8f3e77 VirtualAlloc 115333->115334 115342 8e3b55 115339->115342 115349 895718 115348->115349 115358 8e8393 115357->115358 115359 8e8375 115357->115359 115374 8edb46 CloseHandle 115373->115374 115380 3beb7cd9 CreateDirectoryW 115379->115380 115384 3bec582d ReadFile 115383->115384 115388 8efb3a CreateFileW 115387->115388 115397 3bebf062 115396->115397 115427 3bebf062 115426->115427 115457 8f83a1 115456->115457 115480 895b31 115479->115480 115484 8ef358 115483->115484 115506 3beba0a1 RegOpenKeyExW 115505->115506 115510 3bebd4d4 115509->115510 115523 8e7abb 115521->115523 115528 8e6ba1 115527->115528 115529 8e6baa 15 API calls 115527->115529 115529->115528 115713 3beb683b 115712->115713 115714 3beb660b 115712->115714 115714->115713 115745 8ea0d5 RegOpenKeyExW 115744->115745 115749 8ef3fa 115748->115749 115768 8e6be1 115767->115768 115774 3bebd8d3 115773->115774 115782 8f4c48 115779->115782 115799 3bec46b1 115791->115799 115814 8e3c4a 115812->115814 115816 8e3b55 115812->115816 115816->115812 115816->115814 115822 8e7423 115821->115822 115844 895718 115843->115844 115853 3bec68b6 115852->115853 115857 8effba CreateFileW 115856->115857 115866 3bd6bdec CreateProcessW 115865->115866 115870 3beba0b0 RegOpenKeyExW 115869->115870 115874 3bebe8e6 23 API calls 115873->115874 115905 3bebf0e0 115904->115905 115935 8ea0d5 RegOpenKeyExW 115934->115935 115939 8f8bd1 115938->115939 115954 8e7bad 115950->115954 115957 3bd6b8fb CreateProcessW 115956->115957 115961 8e6bb6 115960->115961 115983 8edbdf CloseHandle 115982->115983 115991 3bebe953 115988->115991 116019 8f8bb2 116018->116019 116022 8f8bf5 116018->116022 116034 8e875d 116033->116034 116052 3bec490f 2 API calls 116051->116052 116066 8ee8cc 116065->116066 116067 8ee8c2 116065->116067 116067->116066 116097 895c14 116096->116097 116103 8f8b94 16 API calls 116102->116103 116121 3bebe8ee 116119->116121 116151 8e72a8 116149->116151 116180 8f40f8 116173->116180 116182 8e4281 116181->116182 116188 89b2a6 116187->116188 116196 8f526d ReadFile 116195->116196 116200 8e7276 12 API calls 116199->116200 116225 8eda78 116224->116225 116231 8f3a74 116230->116231 116238 896a7e VirtualAlloc 116237->116238 116242 8b3d8f Wow64SetThreadContext 116241->116242 116245 3bec5d7f ReadFile 116244->116245 116249 3bec49be 116248->116249 116262 8f526d ReadFile 116261->116262 116266 8ee616 116265->116266 116299 3bd71c44 Wow64GetThreadContext 116298->116299 116302 3bec3e6b VirtualAlloc 116301->116302 116309 3beb6940 CreateDirectoryW 116308->116309 116313 3bebd17d 116312->116313 116329 8efaa0 116328->116329 116331 8efa5d CreateFileW 116328->116331 116329->116331 116344 3beb6931 CreateDirectoryW 116343->116344 116348 3bd794a0 116347->116348 116354 8f5248 116353->116354 116360 3bd6b919 CreateProcessW 116359->116360 116364 3bebd914 116363->116364 116364->116363 116370 8f3a37 VirtualAlloc 116369->116370 116377 8ee257 116376->116377 116418 3bd826b5 116409->116418 116419 3bd828e5 116409->116419 116418->116419 116430 8ef1d7 116429->116430 116457 8f3a40 VirtualAlloc 116456->116457 116464 8eda5d 116463->116464 116470 8ada54 116469->116470 116485 3bd7a170 116473->116485 116491 3bebc261 116490->116491 116494 8eea4e 116492->116494 116495 8ee953 116492->116495 116495->116494 116526 3bd83d83 Wow64SetThreadContext 116525->116526 116530 8f5682 116529->116530 116534 8e97a7 116533->116534 116548 8f9a7c 116547->116548 116550 8f9a6d WriteFile 116547->116550 116554 8e422e 116553->116554 116560 89aa3a CreateProcessW 116559->116560 116564 8e7a8d CreateDirectoryW 116563->116564 116565 8e7a94 2 API calls 116563->116565 116565->116564 116569 3bd7adea 116568->116569 116744 3beb71ba CreateDirectoryW 116743->116744 116748 8f3e77 VirtualAlloc 116747->116748 116754 8e72f5 116753->116754 116775 3bd7913b 116773->116775 116783 8e42d0 116782->116783 116789 3bec39cc 116788->116789 116798 8ef2c6 116797->116798 116822 8f2ade VirtualAlloc 116821->116822 116829 3bebd9ab 116828->116829 116835 8a31c9 3 API calls 116834->116835 116855 8eeadc 116854->116855 116886 8ee2d5 116885->116886 116919 89b2cf CreateProcessW 116918->116919 116923 3bd66a42 116922->116923 116925 3bd66a36 VirtualAlloc 116922->116925 116929 3bebd1ba 116928->116929 116946 3bebe953 116944->116946 116975 89b2cf CreateProcessW 116974->116975 116980 3bd65f2e 116978->116980 116983 8ee2d5 116982->116983 117016 3beb71c1 CreateDirectoryW 117015->117016 117021 8e72a8 117019->117021 117044 8f42bc 117043->117044 117046 8f4186 117043->117046 117046->109568 117054 3bd6aa3a CreateProcessW 117053->117054 117059 8e7aae 117057->117059 117064 8f9ad5 WriteFile 117063->117064 117073 8e8b5d 117067->117073 117103 89b2b6 CreateProcessW 117102->117103 117107 8ef1d7 117106->117107 117134 3bd735b1 117133->117134 117143 8e7aae 117141->117143 117148 8f5353 117147->117148 117152 8e3dd4 117151->117152 117156 3bec3e6b VirtualAlloc 117155->117156 117163 3bec39f4 10 API calls 117162->117163 117171 8e9aa4 117170->117171 117185 3bd6bdec CreateProcessW 117184->117185 117189 3bec2ade VirtualAlloc 117188->117189 117196 3bd6aa3a CreateProcessW 117195->117196 117200 3bebe953 117199->117200 117230 8e45ea 117229->117230 117234 3bec3a37 VirtualAlloc 117233->117234 117241 8b3d83 Wow64SetThreadContext 117240->117241 117245 8ed17d 117244->117245 117257 89f996 117256->117257 117268 8f517a 117264->117268 117271 8f3e6b VirtualAlloc 117270->117271 117278 3bd79587 VirtualProtectEx 117277->117278 117282 8e8958 117281->117282 117311 3bec3a37 VirtualAlloc 117310->117311 117318 8e4174 LoadLibraryW 117317->117318 117323 8e996b 117322->117323 117325 8e9835 117322->117325 117340 3bebea4e 117338->117340 117341 3bebe953 117338->117341 117341->117340 117369 3bec3a40 VirtualAlloc 117368->117369 117376 8ec261 117375->117376 117378 3bebda5d 117377->117378 117384 3bec5682 117383->117384 117388 8e8958 117387->117388 117417 3bd66a7e VirtualAlloc 117416->117417 117421 8f5969 ReadFile 117420->117421 117425 8f3e6b VirtualAlloc 117424->117425 117432 3bebe616 117431->117432 117468 3bd83d8f Wow64SetThreadContext 117467->117468 117471 3bec526d ReadFile 117470->117471 117475 8ed17d 117474->117475 117487 8e6940 CreateDirectoryW 117486->117487 117491 8e6931 CreateDirectoryW 117490->117491 117495 3bebfaa0 117494->117495 117496 3bebfa5d CreateFileW 117494->117496 117495->117496 117513 8e952b 117512->117513 117531 8ed129 117530->117531 117543 3bebe257 117542->117543 117579 3bd6b2a6 117578->117579 117587 8ed914 117586->117587 117587->117586 117765 8f5d7f ReadFile 117764->117765 117769 3bd6b2b6 CreateProcessW 117768->117769 117774 3beb7aae 117772->117774 117779 8e41f8 117778->117779 117783 8f3e6b VirtualAlloc 117782->117783 117790 8e7a04 117789->117790 117796 89aa3a CreateProcessW 117795->117796 117800 8f39f4 13 API calls 117799->117800 117809 895f2e 117807->117809 117812 8e41f2 117811->117812 117817 8f51ea 117815->117817 117822 896a42 117821->117822 117824 896a36 VirtualAlloc 117821->117824 117828 3bd6b2cf CreateProcessW 117827->117828 117832 3bebe2d5 117831->117832 117868 8e7a04 117867->117868 117874 8e89e6 117873->117874 117904 8ee953 117902->117904 117936 3beb72a8 117935->117936 117964 8e71c1 CreateDirectoryW 117963->117964 117968 8a35b1 117967->117968 117976 8e89cb 117975->117976 118005 8e71ba CreateDirectoryW 118004->118005 118010 3beb7aae 118008->118010 118016 8e79c4 118014->118016 118021 3beb72f5 118020->118021 118043 8959b6 118042->118043 118049 3bd65af0 118048->118049 118057 3bd65af0 118056->118057 118065 8e71ba CreateDirectoryW 118064->118065 118069 8f39cc 118068->118069 118078 3bec3e77 VirtualAlloc 118077->118078 118084 8ed9ab 118083->118084 118090 3bebeadc 118089->118090 118118 8e41ac 118117->118118 118124 8ee953 118123->118124 118157 8afeea ReadProcessMemory 118156->118157 118160 8ed1ba 118159->118160 118172 8969dd 118171->118172 118174 8969ce VirtualAlloc 118171->118174 118172->118174 118178 3bebe2d5 118177->118178 118214 3bd6b2cf CreateProcessW 118213->118214 118218 8e99ac 118217->118218 118232 89b9d6 CreateProcessW 118231->118232 118236 3bd731c9 3 API calls 118235->118236 118263 8f49be 118259->118263 118273 8a913b 118271->118273 118281 3beb76b8 118280->118281 118303 8e41a1 118302->118303 118309 8f507c 118308->118309 118318 3bd65b31 118316->118318 118321 8f5d7f ReadFile 118320->118321 118325 3beb7abb 118324->118325 118331 8f4fb1 118330->118331 118339 8ea0a1 RegOpenKeyExW 118338->118339 118343 8ef062 118342->118343 118370 3bebfb3a CreateFileW 118369->118370 118380 8e4088 118379->118380 118382 8e40cb 118379->118382 118391 8e7cd9 CreateDirectoryW 118390->118391 118398 3bd7a2b2 118394->118398 118412 8ef062 118411->118412 118439 8f403c 118438->118439 118447 8ed4d4 118446->118447 118457 8f403c 118456->118457 118465 3bec3e77 VirtualAlloc 118464->118465 118471 3bebdb46 CloseHandle 118470->118471 118477 8ee07e CloseHandle 118476->118477 118486 3bd7a2b2 118482->118486 118486->118482 118500 8f582d ReadFile 118499->118500 118504 3bec575e 118503->118504 118511 8f46b1 118507->118511 118527 89fcab VirtualAlloc 118526->118527 118534 3beb7abb 118532->118534 118539 3bebe07e CloseHandle 118538->118539 118545 3bd65718 118544->118545 118554 8f4fb1 118553->118554 118562 8ed00e 118561->118562 118577 8f490f 4 API calls 118576->118577 118590 3bebf3fa 118589->118590 118610 8e8917 118609->118610 118786 3beba0d5 RegOpenKeyExW 118785->118786 118790 8e98c5 118789->118790 118804 3bebdbdf CloseHandle 118803->118804 118812 3beb7bad 118809->118812 118816 8ea0b5 RegOpenKeyExW 118815->118816 118820 8e98b8 118819->118820 118834 8e45ea 118833->118834 118838 3beba0d5 RegOpenKeyExW 118837->118838 118843 3bd7913b 118841->118843 118844 3bd79380 118841->118844 118843->118844 118851 8e660b 118850->118851 118855 8e6615 118850->118855 118851->118855 118877 89b8c0 CreateProcessW 118876->118877 118888 8f46b1 118880->118888 118900 8e68ba 17 API calls 118899->118900 118902 8e68af 118899->118902 118900->118902 118925 8ed8d3 118924->118925 118931 3bebffba CreateFileW 118930->118931 118941 8e952b 118940->118941 118959 8f4405 118958->118959 118967 8ea0b0 RegOpenKeyExW 118966->118967 118971 89fcab VirtualAlloc 118970->118971 118977 8f68b6 118976->118977 118981 3bd7a2b2 118980->118981 118981->118980 118998 8f68ae CreateFileW 118997->118998 119003 3bd65718 119002->119003 119012 3beb7c07 119011->119012 119018 8e98b8 119017->119018 119032 3beb9c0e RegOpenKeyExW 119031->119032 119038 8e7906 119035->119038 119040 8e78c3 CreateDirectoryW 119035->119040 119038->119040 119042 8ea0a1 RegOpenKeyExW 119041->119042 119046 3bebdc0a CloseHandle 119045->119046 119057 8f46b1 119051->119057 119071 8ed0fc 119070->119071 119073 8ed0b9 119070->119073 119083 8a1c44 Wow64GetThreadContext 119082->119083

                                                                Executed Functions

                                                                Function 00891402 Relevance: 40.8, APIs: 1, Strings: 22, Instructions: 521libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • LoadLibraryW.KERNELBASE(FFFFE180), ref: 0089142B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID: D@JN$E$G$H$M$V$W$a$d$d$e$e$e$l$l$n$o$t$u$x$3$3
                                                                • API String ID: 1029625771-4042423897
                                                                • Opcode ID: e1c81933f18392f7607d2e97bfd86f349c5bd05ede4ae9a2dfe480ad05001e62
                                                                • Instruction ID: 9984b38e84b5817ea6b29cfd08641caabf8a869aceb8d8a9bf1e9a41f750a47e
                                                                • Opcode Fuzzy Hash: e1c81933f18392f7607d2e97bfd86f349c5bd05ede4ae9a2dfe480ad05001e62
                                                                • Instruction Fuzzy Hash: 3922E5B1D086689BEB208B28DC446EABBB1FF95300F0481EAD44DA7741D6394FC5CF52
                                                                Function 3BEBFC6B Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 422fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 194 3bebfc6b-3bebfcb4 196 3bebfcba-3bebfd9a 194->196 197 3bebffae-3bebffb4 194->197 200 3bebfdab-3bebfdbc 196->200 201 3bebfd9c-3bebfda5 196->201 198 3bebffba-3bebfff2 CreateFileW 197->198 203 3bec002b-3bec0592 call 3bec016c call 3bec01a0 call 3bec01af 198->203 204 3bebfff4-3bec0026 call 3bec000a 198->204 205 3bebfe5d-3bebfeae 200->205 206 3bebfdc2-3bebfdd2 200->206 201->200 245 3bec0598-3bec0706 call 3bec05bf call 3bec06e5 call 3bec06f5 203->245 246 3bec1417-3bec1979 call 3bec149e call 3bec1920 call 3bec1975 203->246 222 3bec9ba5-3bec9bab 204->222 208 3bebfebf-3bebff16 205->208 209 3bebfeb0-3bebfeba 205->209 206->205 211 3bebfdd8-3bebfe29 206->211 225 3bebff18-3bebff22 208->225 226 3bebff24-3bebff34 call 3bebff36 208->226 213 3bebff60-3bebff67 209->213 230 3bebfe2b-3bebfe4d 211->230 231 3bebfe4f 211->231 219 3bebffa9 213->219 220 3bebff69-3bebffa7 213->220 219->198 220->198 225->213 230->231 234 3bebfe56 230->234 231->201 234->205 245->222 266 3bec198a-3bec19eb call 3bec19ec 246->266 267 3bec197b-3bec1989 246->267 267->266
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID: 3:7B$F$G$PNM5$S$e$e$e$i$i$l$t$z
                                                                • API String ID: 823142352-306576767
                                                                • Opcode ID: a585066e22a4095691a59ce8abc98416cea7ba8de44c94a35e6523025f6b1265
                                                                • Instruction ID: ce20279f519e2e937f97dabe01c4b9c84374e2358785bd8733e7d3600d2e883c
                                                                • Opcode Fuzzy Hash: a585066e22a4095691a59ce8abc98416cea7ba8de44c94a35e6523025f6b1265
                                                                • Instruction Fuzzy Hash: 66F146B1D082A58AFB20CA28DD84BEB7B75EF81314F0481F9D94C67681D6794FD18F92
                                                                Function 3BEBC5DD Relevance: 24.3, APIs: 1, Strings: 15, Instructions: 339COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 5P5M$C$F$P?L=$W$^P$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 0-4150171463
                                                                • Opcode ID: b8485887a7e33a0b4052db163afa3efa1c86d06ce3875aaa384cb55abad77e0f
                                                                • Instruction ID: 8eff32f741b479e5529509ef3f8b91041dd543b2f310c2385b7dfbcd8c6d38b0
                                                                • Opcode Fuzzy Hash: b8485887a7e33a0b4052db163afa3efa1c86d06ce3875aaa384cb55abad77e0f
                                                                • Instruction Fuzzy Hash: 72C14AF2D082549FFB14CB28DC59BEB7B78EB91314F0480FAD90D56280D67D5AC68A63
                                                                Function 3BEBD596 Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 273COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 5P5M$C$F$W$^P$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 0-3650445608
                                                                • Opcode ID: aac97f47407c8053540d91d15cea422ec1562f14f306bffc4a7a9c1790143d39
                                                                • Instruction ID: 3eba7becf474da7e1c4b63c29e8b94bee7b1c06405eab2e04452f5327b00eca5
                                                                • Opcode Fuzzy Hash: aac97f47407c8053540d91d15cea422ec1562f14f306bffc4a7a9c1790143d39
                                                                • Instruction Fuzzy Hash: 76917AB2D082589FFB24C728DC59BEB7B68DB81314F0440FED80D56681DA7D5EC68A63
                                                                Function 3BEBD67C Relevance: 22.7, APIs: 1, Strings: 14, Instructions: 209COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 3EF4$5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3006875395
                                                                • Opcode ID: 1f3159f272e2475ea0b8efac505ace3a6763449ae096e71ec23b8b93e50727dc
                                                                • Instruction ID: 59be6971a0d5f49adbd8d794c2f8f2585e32c5928e710c9024b710e2e9bb9fc9
                                                                • Opcode Fuzzy Hash: 1f3159f272e2475ea0b8efac505ace3a6763449ae096e71ec23b8b93e50727dc
                                                                • Instruction Fuzzy Hash: 4E7149B2D0C2689EFB24C728DC89BDB7B68DB41314F0440FAD94C56281D67D5EC68AA3
                                                                Function 3BEBD5D6 Relevance: 21.3, APIs: 1, Strings: 13, Instructions: 254COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 60d55f7e49cf88aedff0039c5da0411b637dfab33f89107f7f83c44f389ec987
                                                                • Instruction ID: 0d33d3e364c66e3f473adf7605ee6aaf54505c83de24af124a80a7938d0581ce
                                                                • Opcode Fuzzy Hash: 60d55f7e49cf88aedff0039c5da0411b637dfab33f89107f7f83c44f389ec987
                                                                • Instruction Fuzzy Hash: 269158B2D082589FFB24CB28DC59BEB7B68DB91314F0441FED80C16681D67D5EC68A63
                                                                Function 3BEBD92D Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 246COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 0-3741801046
                                                                • Opcode ID: 221986f34f902f84739f456817315552a3ed21400c2fd6772d97aad00215e27f
                                                                • Instruction ID: 65750d0eb395550f76505488c38df6f3c947c9977290d332ce3e89135177acff
                                                                • Opcode Fuzzy Hash: 221986f34f902f84739f456817315552a3ed21400c2fd6772d97aad00215e27f
                                                                • Instruction Fuzzy Hash: D8815CB2D082689FFB24C728DC49AEB7B74DF42314F0441FAD84C16681D67D5EC68A63
                                                                Function 3BEBD8A6 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 239COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: efd4a9f007888a262357efecc2e88af222ff4f8596168ecaed9e80c832c01fa9
                                                                • Instruction ID: 83745cf46b28cc9f66376e9c4082e15ecd89a4647c900b7030e3685be02492d5
                                                                • Opcode Fuzzy Hash: efd4a9f007888a262357efecc2e88af222ff4f8596168ecaed9e80c832c01fa9
                                                                • Instruction Fuzzy Hash: C4816BB2D082689EFB24C728DC59BEB7B78DF81714F0440FAD84C56680DA7D5AC5CA63
                                                                Function 008ED8A6 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 239COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 008EE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: efd4a9f007888a262357efecc2e88af222ff4f8596168ecaed9e80c832c01fa9
                                                                • Instruction ID: 89e12e30fcd9972cf7b69f936df46f4cfca1df112045071d0f570ec31bd709bd
                                                                • Opcode Fuzzy Hash: efd4a9f007888a262357efecc2e88af222ff4f8596168ecaed9e80c832c01fa9
                                                                • Instruction Fuzzy Hash: FC816CB2D041A89EF7208629DC49BFB7B78EB82314F1440FAD80D56681D67D5FC9CA63
                                                                Function 3BEBD685 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 208COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 04b2870e4ee60f6e709d4db37dc8311052e61eba39c442a95dd2a82964225acc
                                                                • Instruction ID: f8db2979b4dbbab73fa6a5618e4986b0847f909ee9cb9a2f9cef98711f696169
                                                                • Opcode Fuzzy Hash: 04b2870e4ee60f6e709d4db37dc8311052e61eba39c442a95dd2a82964225acc
                                                                • Instruction Fuzzy Hash: 3A713AB2D082689EFB24C728DC59BD77B64DF51314F0440FAD94C16281DA7D5AC68AA3
                                                                Function 3BEBDA3B Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 783f3da648ad80af0167e4ebb0f72c09dcec68fb8928d0fc27bc9bc02b289132
                                                                • Instruction ID: 3a4370c5283c1a7aa41a642f6aa83fe79ba204788481a91c55926d05cc8c1667
                                                                • Opcode Fuzzy Hash: 783f3da648ad80af0167e4ebb0f72c09dcec68fb8928d0fc27bc9bc02b289132
                                                                • Instruction Fuzzy Hash: 9B614AB2D082689EFB24C728DC49BEB7B78DB81314F0440FAD84D56281D67D5EC68A63
                                                                Function 3BEBD9A7 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 202COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 0a88f08a84d02579a82e252aca950a88f92323fa763318397690219be4a14cc0
                                                                • Instruction ID: 8a669ad4617b0f76685192df6b99a1f899f6b1fbd3a62f9b510590eaec999d00
                                                                • Opcode Fuzzy Hash: 0a88f08a84d02579a82e252aca950a88f92323fa763318397690219be4a14cc0
                                                                • Instruction Fuzzy Hash: 866139B2D082689EFB24C728DC59BDBBB78DB41314F0440FAD84D16281DA7D5EC68A63
                                                                Function 3BEBD725 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 201COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 418ea4fcaf690e461b8a124f6b4756ded07c8140c36dae6f3b69dbd989b13edd
                                                                • Instruction ID: da4661cb11c65aac05ac7e2418e1a1b66816ac166767fa650c53876d2bd49486
                                                                • Opcode Fuzzy Hash: 418ea4fcaf690e461b8a124f6b4756ded07c8140c36dae6f3b69dbd989b13edd
                                                                • Instruction Fuzzy Hash: 23615CB2D082589EFB24C728DC49BDBBB78DB91314F0440FAD84C16281D67D5EC68A63
                                                                Function 3BEBD6A3 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 570dbe96a03a2309e570ae95afc1d75423d5ca5492648b1f52c7618e6bc1d7bd
                                                                • Instruction ID: af9f8d144e9dace97b90fcdf1e71036cf6d3770352c3393cdd3dfe48a9fc1ac1
                                                                • Opcode Fuzzy Hash: 570dbe96a03a2309e570ae95afc1d75423d5ca5492648b1f52c7618e6bc1d7bd
                                                                • Instruction Fuzzy Hash: 606149B2D082689EFB24C728DC49BDBBB78DB41314F0440FAD84D56281D67D5EC68AA3
                                                                Function 3BEBDA68 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: f276221dcb1f148b786d1f4b89d12d0d7a8214e7e794047e0f51c4e6acf860e9
                                                                • Instruction ID: 4620bea5babb222a0b7c14b39e023da81a0a671ecab55006e5539914c7243ada
                                                                • Opcode Fuzzy Hash: f276221dcb1f148b786d1f4b89d12d0d7a8214e7e794047e0f51c4e6acf860e9
                                                                • Instruction Fuzzy Hash: C46129B2D082689EFB24C728DC49BDBBB74DB91314F0440FAD84D16281D67D5EC68BA3
                                                                Function 00540B40 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 472COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: A998$e|$3
                                                                • API String ID: 0-38523410
                                                                • Opcode ID: 408a7830ef450858897fe0f000d71361db43786ad0d13a5b169aebc68a952048
                                                                • Instruction ID: 1b34c731cd5d747cd9c2b0bb724f2a453b0cb7861124cdb7c6694c3612841721
                                                                • Opcode Fuzzy Hash: 408a7830ef450858897fe0f000d71361db43786ad0d13a5b169aebc68a952048
                                                                • Instruction Fuzzy Hash: C1128FB1E042289FEB248B18DC95BEABB75FF85314F1481EAD94D66280E6345FC1CF52
                                                                Function 3BEC499C Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID: e|$3
                                                                • API String ID: 2738559852-1726640827
                                                                • Opcode ID: 2eeb45d96253b2151884a32a0819689958bf91d8e66806803fcb42383f478f7e
                                                                • Instruction ID: 3e90767d62a35e8a258bdd8fd379473736f81bee3f65a08a2d13f54ee794c28a
                                                                • Opcode Fuzzy Hash: 2eeb45d96253b2151884a32a0819689958bf91d8e66806803fcb42383f478f7e
                                                                • Instruction Fuzzy Hash: 3A02BFB2D046289FF724CA18DD55AEBB7B5EFC4314F1481FAD80EA6640DA385FC18E52
                                                                Function 3BEBEB80 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 362COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: e|$3
                                                                • API String ID: 0-1726640827
                                                                • Opcode ID: a12b1f3561323e3a9e50ca8666f686866bebdad2c6da165e4b84fc490f9cf642
                                                                • Instruction ID: efc3905305ad65e81ffd4e0942f93629c03f460228ea0d8b3f58e48c5adf69fa
                                                                • Opcode Fuzzy Hash: a12b1f3561323e3a9e50ca8666f686866bebdad2c6da165e4b84fc490f9cf642
                                                                • Instruction Fuzzy Hash: 6DE193B1D097289BEB28CB18DC95BEAB7B5EF44314F0441FAE90D62240E6755EC1CF52
                                                                Function 3BEB68BA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 307COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: e|$3
                                                                • API String ID: 4241100979-1726640827
                                                                • Opcode ID: be98b870f768b0764863c02b9be51a5480b9b19a110dc00e1caf068c91e24aa8
                                                                • Instruction ID: fc27590b7184e338625be3469bda82fb3bb21c2aa993ce36c4f1fdb9c68e1c44
                                                                • Opcode Fuzzy Hash: be98b870f768b0764863c02b9be51a5480b9b19a110dc00e1caf068c91e24aa8
                                                                • Instruction Fuzzy Hash: 21C190B5D086688FEF25CB28DC916E9B7B5EF94310F0481EAE40DA6240EB395EC5CF11
                                                                Function 008E68BA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 307COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 008E7CFA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: e|$3
                                                                • API String ID: 4241100979-1726640827
                                                                • Opcode ID: be98b870f768b0764863c02b9be51a5480b9b19a110dc00e1caf068c91e24aa8
                                                                • Instruction ID: 03c5323308a0423f700e62295b20ffa71b49c141070559b297e100dda8679f32
                                                                • Opcode Fuzzy Hash: be98b870f768b0764863c02b9be51a5480b9b19a110dc00e1caf068c91e24aa8
                                                                • Instruction Fuzzy Hash: 49C1D3B1C086A88BEB248F25DC906E9BBB5FF95350F1481EAE40DA6240E7395FC1CF11
                                                                Function 3BEB7276 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: "r;$:FOK
                                                                • API String ID: 0-3416402625
                                                                • Opcode ID: 0846f8f9e150cba83b22e891948e0deff9d1d4075edb240d1670727adb4aeb6b
                                                                • Instruction ID: 244597cbc4fc1e728f49279ed45c859352b942b33bef57bc3110fcb74e3d3bfd
                                                                • Opcode Fuzzy Hash: 0846f8f9e150cba83b22e891948e0deff9d1d4075edb240d1670727adb4aeb6b
                                                                • Instruction Fuzzy Hash: C9A1F8F2D182545FF724CB28DC55AEB7B78EB85310F0441BAD84D96B80E63C5EC68E52
                                                                Function 005479AE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 262memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: e|$3
                                                                • API String ID: 544645111-1726640827
                                                                • Opcode ID: cae61e771cb22d1ec9d6fb730fdf224020caad320cfa2fbf794f33348327e58f
                                                                • Instruction ID: 24e771bb10c9e2469c13deddb57dda4bc22028dbf25eb96fdff3aa0456e7b3a9
                                                                • Opcode Fuzzy Hash: cae61e771cb22d1ec9d6fb730fdf224020caad320cfa2fbf794f33348327e58f
                                                                • Instruction Fuzzy Hash: 8FB19DB1E046698BEB24CB19CC85BEABBB4FF89314F1441EAD94D62240EB745EC1CE51
                                                                Function 3BEB765A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: "r;$:FOK
                                                                • API String ID: 4241100979-3416402625
                                                                • Opcode ID: 5d7c9b944ede05850c535b242fa95d66b2bf6c21ba4a591a6506e7dd900abac3
                                                                • Instruction ID: f15bee6afc844a4c07ddd7ae29b88d1424face8153b13e5102b5f124da52862c
                                                                • Opcode Fuzzy Hash: 5d7c9b944ede05850c535b242fa95d66b2bf6c21ba4a591a6506e7dd900abac3
                                                                • Instruction Fuzzy Hash: 309105F2C082685BFB20CB58DC45AEB7B74EF45314F0441BAD84DA6741EA785EC58E92
                                                                Function 00548201 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: EBM>$V
                                                                • API String ID: 544645111-4161760328
                                                                • Opcode ID: 511fef2b0f98a73f72e07aea0ef24c1aaa7b19639a44f31e7bddc568de755ee3
                                                                • Instruction ID: 59bde955e8c769a57cfa2723741041c1c349ffceb5d014491f68f0e53aa6f794
                                                                • Opcode Fuzzy Hash: 511fef2b0f98a73f72e07aea0ef24c1aaa7b19639a44f31e7bddc568de755ee3
                                                                • Instruction Fuzzy Hash: 3F5178B2D082915FF7108635DC48AFB7FB8FB80314F1484BAD84D96581D97C5EC68BA2
                                                                Function 00895B99 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 436memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: S$_W
                                                                • API String ID: 4275171209-1850906522
                                                                • Opcode ID: d11be731324278b61aff3a34904e2df47427ef83b060e93425d8718277b35246
                                                                • Instruction ID: 32c97016c16e6948c21dfa01005e4312fdbbbfa6e8f926550b583d6e1b0ece25
                                                                • Opcode Fuzzy Hash: d11be731324278b61aff3a34904e2df47427ef83b060e93425d8718277b35246
                                                                • Instruction Fuzzy Hash: C8F1F2B2D045689FEB208A24DC94BEB7BB9EB81315F1841FAD80D96281D63C6FC1CF51
                                                                Function 00895702 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: e|$3
                                                                • API String ID: 4275171209-1726640827
                                                                • Opcode ID: 71a8212799ce9897f3b55d2e416be865066c5f18f8e16b7ebea9f0bd523dd697
                                                                • Instruction ID: 29510eeb16d4d7c1fc656c6c5f958275aaf8e8992ca19970088f7d188a4c7ad5
                                                                • Opcode Fuzzy Hash: 71a8212799ce9897f3b55d2e416be865066c5f18f8e16b7ebea9f0bd523dd697
                                                                • Instruction Fuzzy Hash: 8EC1A9B1D006689BEB25DA14DC84BEABBB5FF84314F1481EAD80DA6680E7785FC5CF01
                                                                Function 3BEB405B Relevance: 4.7, Strings: 3, Instructions: 918COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?5IC$O6@F$V
                                                                • API String ID: 0-1412617190
                                                                • Opcode ID: f4c45bc074cc361c1bcd2bcbda37ad9fd1ce404022a626e4f18baf421a4016d0
                                                                • Instruction ID: 342e4ba0085c71e71d9a22361140027763c6d84d1d5f9a426a77072db219bdc6
                                                                • Opcode Fuzzy Hash: f4c45bc074cc361c1bcd2bcbda37ad9fd1ce404022a626e4f18baf421a4016d0
                                                                • Instruction Fuzzy Hash: 8D821752E2826987DB78CB39DC116DBA2B3EF88300F05D4FD940DE7664F6744AC59B0A
                                                                Function 3BEB46DA Relevance: 4.5, Strings: 3, Instructions: 709COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?5IC$O6@F$V
                                                                • API String ID: 0-1412617190
                                                                • Opcode ID: 4c2d31cb38cf5ac17f9d15dd05477bead84e40cd4cbb9ed60f6d7aec1e3fde91
                                                                • Instruction ID: 4b9dc736bbf7baa6a77c99264d6596b8f4690eb43ab21c1a1570e33345edf9ce
                                                                • Opcode Fuzzy Hash: 4c2d31cb38cf5ac17f9d15dd05477bead84e40cd4cbb9ed60f6d7aec1e3fde91
                                                                • Instruction Fuzzy Hash: 9952C712E2866987DB78CB79DC1169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB46E5 Relevance: 4.5, Strings: 3, Instructions: 706COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?5IC$O6@F$V
                                                                • API String ID: 0-1412617190
                                                                • Opcode ID: d6d9f1b69b76863fd6f0513d3a3fc47d762c16b4b39a6db4d8da90e505b210f6
                                                                • Instruction ID: 3644867f9308080a45b73ca60dec8c9a1ae0518774fcde12112da3596e54052f
                                                                • Opcode Fuzzy Hash: d6d9f1b69b76863fd6f0513d3a3fc47d762c16b4b39a6db4d8da90e505b210f6
                                                                • Instruction Fuzzy Hash: C452C712E2866987DB78CB79DC1169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB46F1 Relevance: 4.5, Strings: 3, Instructions: 704COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?5IC$O6@F$V
                                                                • API String ID: 0-1412617190
                                                                • Opcode ID: eb8dbc94bbbfb2e459a11031ced266b819da70190ea21eb6315c359c40bf1491
                                                                • Instruction ID: 1f6991843798f2a6ccf62949f5ad2196342b656677c2f46ee1615f45682eaa0d
                                                                • Opcode Fuzzy Hash: eb8dbc94bbbfb2e459a11031ced266b819da70190ea21eb6315c359c40bf1491
                                                                • Instruction Fuzzy Hash: 7552D712E2466987DB78CB79DC1169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 008A8FA8 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 361COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Qj@h
                                                                • API String ID: 544645111-2762301250
                                                                • Opcode ID: 97d9fb81ebf5ca76cdea45e15b21a9eb6c8b7829e008b44a734a7d7b643e44d8
                                                                • Instruction ID: 767c86b576f88e669b94128f44ff9ac4780755e5f693a5956836696c6afa90ec
                                                                • Opcode Fuzzy Hash: 97d9fb81ebf5ca76cdea45e15b21a9eb6c8b7829e008b44a734a7d7b643e44d8
                                                                • Instruction Fuzzy Hash: C3C13BF2D095589FF7208A25DC44AEB7778FF86314F1480BAD84D92A41E6396EC1CF62
                                                                Function 008A9199 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 283COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Qj@h
                                                                • API String ID: 0-2762301250
                                                                • Opcode ID: 9fda01d876a1a9ee716c669931b9a5e98d095f428250b1af7dd47af4e07021c9
                                                                • Instruction ID: 7c9016e187ad28f7dffa7dc56066a21f03d37de109559b721cc52843ba24571a
                                                                • Opcode Fuzzy Hash: 9fda01d876a1a9ee716c669931b9a5e98d095f428250b1af7dd47af4e07021c9
                                                                • Instruction Fuzzy Hash: 03A12FB1D092299AFB208B25DC846FBB775FF85314F1480B6D98D92A80D6395EC1CF62
                                                                Function 008A93E5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Qj@h
                                                                • API String ID: 0-2762301250
                                                                • Opcode ID: aa508bef982a3f4822be32ccd17a338dbdc602d9fb728fdd518a48556a9e2d3e
                                                                • Instruction ID: 911445e60bd96e19ef075fbe1e577597be17063cce76a534c49ac7f6269ba818
                                                                • Opcode Fuzzy Hash: aa508bef982a3f4822be32ccd17a338dbdc602d9fb728fdd518a48556a9e2d3e
                                                                • Instruction Fuzzy Hash: F7911FB2C092589FF7208A65DC846EB7774FF95314F1480BAD88D92A41E6396EC1CF62
                                                                Function 3BEB751C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: :FOK
                                                                • API String ID: 0-1546321273
                                                                • Opcode ID: d598eb1bb29654b0315cb20ea9c137a6e233b77599fd1e229d9ae10b3548b176
                                                                • Instruction ID: 01a0564da56e34b721cf8f5834f7117ce8972a188868fc6c7376a3fc47a23963
                                                                • Opcode Fuzzy Hash: d598eb1bb29654b0315cb20ea9c137a6e233b77599fd1e229d9ae10b3548b176
                                                                • Instruction Fuzzy Hash: FB9128F2C092689BFB24CB58DC41AEB7B74EF45314F0441BAD84DA6780E67C5EC5CA92
                                                                Function 0089B271 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: b85b2e1870348b1f434e1193003279f54dbab56a7bff8865984786254beac272
                                                                • Instruction ID: 4e0b745d72112fecf00dc0b04bc0a4512444d6b9e85e5f0b3bc8ff1a37b74a0b
                                                                • Opcode Fuzzy Hash: b85b2e1870348b1f434e1193003279f54dbab56a7bff8865984786254beac272
                                                                • Instruction Fuzzy Hash: 86614BF1D04118AFFB248654ED56BFB7778FBC0310F1881BEE50A96680E77C2AC58A52
                                                                Function 0054A7A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: uCW
                                                                • API String ID: 0-3512965699
                                                                • Opcode ID: 7e7f09b9ed1c3013eb8cb4f153e1eedc83683dd3943617ebe682761ee86a4c43
                                                                • Instruction ID: 8a131b18f9af3267c82e17c4db3e7d5191e80546e57faf38735a12a96d56bea4
                                                                • Opcode Fuzzy Hash: 7e7f09b9ed1c3013eb8cb4f153e1eedc83683dd3943617ebe682761ee86a4c43
                                                                • Instruction Fuzzy Hash: F16105F1D401559AF7608B14DC84BFB7B75EBC0324F1481FAE90996380E63D4EC6CA52
                                                                Function 0054604D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: YV
                                                                • API String ID: 4275171209-3702526815
                                                                • Opcode ID: e129b39bb272e6c1086d2ab1c4d6b949f4505121c2c60168a226186916f66f79
                                                                • Instruction ID: d313880c7898aa00ca48927a6ef2bc75878a90f65e3cb573be430fe4c8d585b5
                                                                • Opcode Fuzzy Hash: e129b39bb272e6c1086d2ab1c4d6b949f4505121c2c60168a226186916f66f79
                                                                • Instruction Fuzzy Hash: 6C617BF2C04250AFF3148A21DC4DBE77F69FBC2310F1581BEE84D56581D57D9A86CAA2
                                                                Function 3BEB3DA8 Relevance: 3.2, Strings: 2, Instructions: 683COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: e|$3
                                                                • API String ID: 0-1726640827
                                                                • Opcode ID: aead20fb75e1edb8ff06e66f1231084d83737bc607f525dbc02a4fb36f4e3b52
                                                                • Instruction ID: 3cd257fd64311c24158c784a518ef23be780b7a723df0c549db22353a9a41b43
                                                                • Opcode Fuzzy Hash: aead20fb75e1edb8ff06e66f1231084d83737bc607f525dbc02a4fb36f4e3b52
                                                                • Instruction Fuzzy Hash: E3629325E2466987DB78CB39DC516DBA2B3AF58300F04D4FD940DE3664FB704AC99B0A
                                                                Function 008E40B6 Relevance: 2.1, APIs: 1, Instructions: 613libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,008E4051,?,?,?,00000001,008E3D65), ref: 008E4648
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: a3ae2e5f62207797aa623202d320ba10f3064d7bf67d43d48157e8d72eb7eb0f
                                                                • Instruction ID: 2594f5c69587ba57c66b0b5546a2936634a106bc696a936905e5633967eabfc9
                                                                • Opcode Fuzzy Hash: a3ae2e5f62207797aa623202d320ba10f3064d7bf67d43d48157e8d72eb7eb0f
                                                                • Instruction Fuzzy Hash: 5D42B512A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4B28 Relevance: 2.0, Strings: 1, Instructions: 786COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: S
                                                                • API String ID: 0-1211208622
                                                                • Opcode ID: 94efed3c7cd2ec85c97c610d9c2169c00336253853dbda92b1538781eb6b28b1
                                                                • Instruction ID: b4075a90051c0c80179c464f82f4be14c0b94471a3c1f3468c43c55c3b2aa98f
                                                                • Opcode Fuzzy Hash: 94efed3c7cd2ec85c97c610d9c2169c00336253853dbda92b1538781eb6b28b1
                                                                • Instruction Fuzzy Hash: 05620752E2826987DB78CB79DC1179BA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB4B4D Relevance: 1.9, Strings: 1, Instructions: 654COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: HN;
                                                                • API String ID: 0-3860028145
                                                                • Opcode ID: 00735a5ea730dcac5f8a8070ed5a97f3b743278dc926be25423d58b7a400fa87
                                                                • Instruction ID: e664c286cba8f556303758100fa4576e239fc08f0dce591623f6e170c8aa950d
                                                                • Opcode Fuzzy Hash: 00735a5ea730dcac5f8a8070ed5a97f3b743278dc926be25423d58b7a400fa87
                                                                • Instruction Fuzzy Hash: E852B612E2466987DB78CB39DC1169FA2B3EF58300F05D8FD940DE7664F6704AC99B0A
                                                                Function 3BEB4845 Relevance: 1.9, Strings: 1, Instructions: 643COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 5:=H
                                                                • API String ID: 0-3718395605
                                                                • Opcode ID: 16e6b03d8b47dc6da647b7365d1d4b59126a9cb7b2f2843216a8182b8df511f6
                                                                • Instruction ID: f92985ce92618b3b3ad8a5b34a686b3c7362f0a994be18bd0c0e48f688b49bb3
                                                                • Opcode Fuzzy Hash: 16e6b03d8b47dc6da647b7365d1d4b59126a9cb7b2f2843216a8182b8df511f6
                                                                • Instruction Fuzzy Hash: B152C412E2466986DB78CB39DC1169FA2B3EF58300F05D8FD940DE7664F6704AC99B0A
                                                                Function 3BEBF054 Relevance: 1.9, APIs: 1, Instructions: 373fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 6bd3ab02f75e6fdfae12dadf092c2ae3f9920db81dcd355e91ff4ebbb66a7206
                                                                • Instruction ID: 3b7c6b0b0c29d12a7855bc83a7b03874b3c044e585013fbc4c29f23eb3972003
                                                                • Opcode Fuzzy Hash: 6bd3ab02f75e6fdfae12dadf092c2ae3f9920db81dcd355e91ff4ebbb66a7206
                                                                • Instruction Fuzzy Hash: B6C139F6D082249FFB24CB58DC94BEB7778EB81314F1481FAE90D56681D63C5EC18A92
                                                                Function 008B3783 Relevance: 1.9, APIs: 1, Instructions: 364threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 008B3D9D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: e61044ce204f44a89e145b15e814b8e803e00d72af23b6f4de4e775baf2670bb
                                                                • Instruction ID: 835ae45a0e8768843c642a2059c9c096a5a100f1d722b4edd4fef207a034d388
                                                                • Opcode Fuzzy Hash: e61044ce204f44a89e145b15e814b8e803e00d72af23b6f4de4e775baf2670bb
                                                                • Instruction Fuzzy Hash: 4AD1C2F2D081689BF7248A14DC95AEBBB79FB85314F1841FAD90DA2740D6386FC1CE91
                                                                Function 3BEC472C Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7dd2651572ae6da5b194640ccf87e6ce66ea495376b8ee1cbf91ed6f940d8c2
                                                                • Instruction ID: 2517022fabe8259f7f911608015f9e25bbaedd316f92898af1011b5ec54e54a6
                                                                • Opcode Fuzzy Hash: c7dd2651572ae6da5b194640ccf87e6ce66ea495376b8ee1cbf91ed6f940d8c2
                                                                • Instruction Fuzzy Hash: E2816AF2C102655EF7148B58DC45BFB7778EB84710F0042FAE94E96280EB785EC58BA2
                                                                Function 00547833 Relevance: 1.7, APIs: 1, Instructions: 236memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: d102ac4ff3878d5864cfe36421bde35fceb51514663232590fe4006672993b8e
                                                                • Instruction ID: f5c197db9dd7e573f00c174396671f485bf4271ad916959efb5916df041fe0fe
                                                                • Opcode Fuzzy Hash: d102ac4ff3878d5864cfe36421bde35fceb51514663232590fe4006672993b8e
                                                                • Instruction Fuzzy Hash: E98125B2D085299EF7208A25DC88BFF7B79FF94318F1440BAD50D56681E7781EC1CA51
                                                                Function 3BEB677A Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 045df64edd3187d55d3600802d343d91f80cc52611ccd44e66415812e35ff24b
                                                                • Instruction ID: dd45d6208be35e8fa12c60e4474bb3dfc9f5bfd058c9ebd655d4852f6e05ef4c
                                                                • Opcode Fuzzy Hash: 045df64edd3187d55d3600802d343d91f80cc52611ccd44e66415812e35ff24b
                                                                • Instruction Fuzzy Hash: D851E5B1D192689FFF14CB28DC406BABB75EB84710F1481FAD44D96294EA385EC1CF12
                                                                Function 3BEB661F Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: ddafbac98dafecdc0c6f186c96e46466472c9e2a036e6063019e5ebfd68827f4
                                                                • Instruction ID: 71179fe1110e69c84a2ab2a5284771af10fe50c2b6077d6dd9fc358fa0552758
                                                                • Opcode Fuzzy Hash: ddafbac98dafecdc0c6f186c96e46466472c9e2a036e6063019e5ebfd68827f4
                                                                • Instruction Fuzzy Hash: DF51E6A2C1C3589EFF18CB28DC55AEABB74EB84710F1481FED50D96254EA385EC18F12
                                                                Function 3BEB7261 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f09817fd55b519218c5437ceef01c5dd953251b8902771339dd0cce1f4edee88
                                                                • Instruction ID: 01e63426c153461609c3fca07dcad3dfcaf301f2cea4468872f1d496389060b9
                                                                • Opcode Fuzzy Hash: f09817fd55b519218c5437ceef01c5dd953251b8902771339dd0cce1f4edee88
                                                                • Instruction Fuzzy Hash: 4351F9F2C093645FFB20CB58DC95ADB7B68DB41300F0541BAD98D66B41E9345EC6CA63
                                                                Function 00895AE1 Relevance: 1.5, APIs: 1, Instructions: 279memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 1bcc00b4391b2f1a41975a47895ef9b353ab9a340ecb08a1b0407e0002b60be1
                                                                • Instruction ID: 05f111412a422d4c4f3f6d4041b84a0ef12b89d7725ddcd8b6a20eeefbcbb364
                                                                • Opcode Fuzzy Hash: 1bcc00b4391b2f1a41975a47895ef9b353ab9a340ecb08a1b0407e0002b60be1
                                                                • Instruction Fuzzy Hash: 23B1AEB2D045289BEB249A14DC94BEBB7B9FB81315F1841F9D90DA6280E7386FC1CF51
                                                                Function 008952CE Relevance: 1.5, APIs: 1, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 55bc7e8588b0df7429bab6d50cab68840f1cb6a7baf53babb6114849edb26884
                                                                • Instruction ID: d24d8a9ea88fa263f2eee37f05d617f699f3c91a93c946885a4c5ecd0210aa46
                                                                • Opcode Fuzzy Hash: 55bc7e8588b0df7429bab6d50cab68840f1cb6a7baf53babb6114849edb26884
                                                                • Instruction Fuzzy Hash: E5A127B2D045289EFB20DA24DC547EAB7B5FB85319F1880FAD80DA6281E7791EC1CF51
                                                                Function 008955F7 Relevance: 1.5, APIs: 1, Instructions: 246memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 865041f3515d9e3c0b2beeaade53c32c5c384d29c6d6d89fea3f4dab32c355b1
                                                                • Instruction ID: 1ad3be2ff4b647149ca0b251a2e9fea53b2addfe2a82ae9328768ad4bebd69ec
                                                                • Opcode Fuzzy Hash: 865041f3515d9e3c0b2beeaade53c32c5c384d29c6d6d89fea3f4dab32c355b1
                                                                • Instruction Fuzzy Hash: 2D9124B2D045289EEB219A24DC54BFE7775FB80318F1841FAD80DA6280E3781EC5CF52
                                                                Function 3BEB4886 Relevance: .8, Instructions: 759COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08f65020e94d74d7a5464b08046a8c1848eb556020a1b36c0e74f6d5e8771071
                                                                • Instruction ID: 8b67df1087546e698f19b7384d6c88b36264ccb0d390c06c343030ed4233fb6d
                                                                • Opcode Fuzzy Hash: 08f65020e94d74d7a5464b08046a8c1848eb556020a1b36c0e74f6d5e8771071
                                                                • Instruction Fuzzy Hash: A862F752E2826987DB78CB79DC0169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 008E4886 Relevance: .8, Instructions: 759COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08f65020e94d74d7a5464b08046a8c1848eb556020a1b36c0e74f6d5e8771071
                                                                • Instruction ID: b8d6aa45d1293deb0e7d3f504be7dfcdcc1261a02677e43053b0fb9736933432
                                                                • Opcode Fuzzy Hash: 08f65020e94d74d7a5464b08046a8c1848eb556020a1b36c0e74f6d5e8771071
                                                                • Instruction Fuzzy Hash: 4362F352E2466987DB78CB79DC016AFA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB48BD Relevance: .7, Instructions: 748COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c813152787d57767024cc3800705929a0d40be9e4ac78f321359257a69930c90
                                                                • Instruction ID: 267d33db2f3266e6274c47a920730ad33d08f16436e8f4397433e3ce17a9a6cf
                                                                • Opcode Fuzzy Hash: c813152787d57767024cc3800705929a0d40be9e4ac78f321359257a69930c90
                                                                • Instruction Fuzzy Hash: 7062F752E2466986DB78CB79DC016AFA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 008E48BD Relevance: .7, Instructions: 748COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c813152787d57767024cc3800705929a0d40be9e4ac78f321359257a69930c90
                                                                • Instruction ID: c460b0ddfd8217b70e2d1390228c99849a62044aaa3df12d454d5e65e4b73fe1
                                                                • Opcode Fuzzy Hash: c813152787d57767024cc3800705929a0d40be9e4ac78f321359257a69930c90
                                                                • Instruction Fuzzy Hash: 2C62F452E2466986DB78CB79DC017AFA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB48C5 Relevance: .7, Instructions: 745COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 02da795bf4cbb92d8935b4de1afd1bdd49eda63cac24eaac875122976ca3098b
                                                                • Instruction ID: 22696adc39d47b530dc1943bad546ee5ade9cea2ae9399c803238e2a29087ca2
                                                                • Opcode Fuzzy Hash: 02da795bf4cbb92d8935b4de1afd1bdd49eda63cac24eaac875122976ca3098b
                                                                • Instruction Fuzzy Hash: 5B62F752E2426986DB78CB79DC016AFA2B3EF58300F04D4FD940DF7664F6704AC99B0A
                                                                Function 008E48C5 Relevance: .7, Instructions: 745COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 02da795bf4cbb92d8935b4de1afd1bdd49eda63cac24eaac875122976ca3098b
                                                                • Instruction ID: 534391ec468c7c9406e95a10a06ba23310f0691372218b874b53cd979f209a21
                                                                • Opcode Fuzzy Hash: 02da795bf4cbb92d8935b4de1afd1bdd49eda63cac24eaac875122976ca3098b
                                                                • Instruction Fuzzy Hash: 2462E452E2466986DB78CB79DC017AFA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB3D70 Relevance: .7, Instructions: 741COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f7ac4c557f5946ff02f6cf2dbf44d3f79844bddcdf92a479249219f284adf3d3
                                                                • Instruction ID: 52611e7537de1194fadc76cd0c608c4c20043fe2b2534ebd30502604e277239d
                                                                • Opcode Fuzzy Hash: f7ac4c557f5946ff02f6cf2dbf44d3f79844bddcdf92a479249219f284adf3d3
                                                                • Instruction Fuzzy Hash: 1D62D512E2866987DB78CB39DC5169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB3BC2 Relevance: .7, Instructions: 733COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8bbf48fcd32c86e603070d395c52ace2225f5b4064833b829fff2132518b372
                                                                • Instruction ID: bcf6acf7e313eaf2f1d9aaef402fe0d982a698a04163360ca674eb78b9c2316b
                                                                • Opcode Fuzzy Hash: c8bbf48fcd32c86e603070d395c52ace2225f5b4064833b829fff2132518b372
                                                                • Instruction Fuzzy Hash: D062E812E2866987DB78CB39DC5169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB4910 Relevance: .7, Instructions: 721COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90bfd4eb15e34d83f22be13f675db4a03ba3eb549f4d35418c813e3307ba7815
                                                                • Instruction ID: 39cc1ddafbc40c4abc19b2a513848341d91bc8acba8e0812712a5fb5d5f0566f
                                                                • Opcode Fuzzy Hash: 90bfd4eb15e34d83f22be13f675db4a03ba3eb549f4d35418c813e3307ba7815
                                                                • Instruction Fuzzy Hash: 1662D612E2466986DB78CB79DC116AFA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB491D Relevance: .7, Instructions: 717COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b39369b6d3e2a316b5cdfd461b327215efc797cc7153fd813a1101db4be85b49
                                                                • Instruction ID: 3b26b5bc51a3f6476106d885e8e7e25dbd21b3ce5d0dbfcd61cd2b1d14f99008
                                                                • Opcode Fuzzy Hash: b39369b6d3e2a316b5cdfd461b327215efc797cc7153fd813a1101db4be85b49
                                                                • Instruction Fuzzy Hash: C562D512E2466986DB78CB79DC116AFA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB4A32 Relevance: .7, Instructions: 686COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc401ac9bca6c51ffe5386bd677e5f7a66050eff258d8090602c72447a2e2464
                                                                • Instruction ID: 75a938736eb43421336a5a8ca3dd996eb120f143aafe6030d9b60e34ffa5dc75
                                                                • Opcode Fuzzy Hash: bc401ac9bca6c51ffe5386bd677e5f7a66050eff258d8090602c72447a2e2464
                                                                • Instruction Fuzzy Hash: 2852C512E2466987DB78CB39DC116AFA2B3EF58300F05D4FD940DE7664F6704AC99B0A
                                                                Function 3BEB481A Relevance: .7, Instructions: 654COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e9b2c6d0129b7197f5e0d567fc2c9b0ad63c94a80893e2640c336d128f9abc8
                                                                • Instruction ID: 32c70b0d2bd71e5d6efc53f467c8350cd3f437779bc1651c5ffa086f874a8f01
                                                                • Opcode Fuzzy Hash: 0e9b2c6d0129b7197f5e0d567fc2c9b0ad63c94a80893e2640c336d128f9abc8
                                                                • Instruction Fuzzy Hash: 8F52C612E2466987DB78CB39DC1169FA2B3EF58300F04D4FD940DE7664F6704AC99B0A
                                                                Function 008E481A Relevance: .7, Instructions: 654COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e9b2c6d0129b7197f5e0d567fc2c9b0ad63c94a80893e2640c336d128f9abc8
                                                                • Instruction ID: e73f198d4506faaad6be901f2fc9b00772239e8b951c0ee8491bb721dfaa9dbc
                                                                • Opcode Fuzzy Hash: 0e9b2c6d0129b7197f5e0d567fc2c9b0ad63c94a80893e2640c336d128f9abc8
                                                                • Instruction Fuzzy Hash: 6152C512E2466987DB78CB79DC1169FA2B3EF58300F04D8FD940DE7664F6704AC99B0A
                                                                Function 3BEB47A7 Relevance: .6, Instructions: 649COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3ce586c555638aa5c3cacd5409f31ee72e70314d592c7a7085301da82e52b5f
                                                                • Instruction ID: 8dbb180ff7d379467c44fff40a254bdb316b0847803211bdc75485213976943b
                                                                • Opcode Fuzzy Hash: e3ce586c555638aa5c3cacd5409f31ee72e70314d592c7a7085301da82e52b5f
                                                                • Instruction Fuzzy Hash: 6952C512E2466986DB78CB39DC1169FA2B3EF58300F05D8FD940DF7664F6704AC99B0A
                                                                Function 3BEB47BA Relevance: .6, Instructions: 642COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3da72211c49fe12d8f9fae55512b75d470b920320e481364f7f116f4ddc7150d
                                                                • Instruction ID: eb26ff11b52ed0d5703c543405097893cefea174ccdbaf231669f580d80fdbfe
                                                                • Opcode Fuzzy Hash: 3da72211c49fe12d8f9fae55512b75d470b920320e481364f7f116f4ddc7150d
                                                                • Instruction Fuzzy Hash: D952B412E2466986DB78CB39DC1169FA2B3EF58300F05D8FD940DE7664F6704AC99B0A
                                                                Function 3BEB419E Relevance: .6, Instructions: 638COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 30c7cbe5f106f8e665b845b8f24c369cb1e96ac90dc81efbbdffb6c3eae4119a
                                                                • Instruction ID: 9942f6df8d534607c12f6f6f9d24ad7548198e578ddbf5119d741232aca63d6e
                                                                • Opcode Fuzzy Hash: 30c7cbe5f106f8e665b845b8f24c369cb1e96ac90dc81efbbdffb6c3eae4119a
                                                                • Instruction Fuzzy Hash: 5752C616E2466986DB78CB39DC1169FA2B3EF58300F04D4FD940DE7664F6704AC99B0E
                                                                Function 3BEB41A9 Relevance: .6, Instructions: 636COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e02ad5263c43b13dac4e0d178338362ee8e674007681e7736d492d987b29252f
                                                                • Instruction ID: 74b6a5d0932dcc534f62fa532fcf6076a5996193c1df58310224b794f251da94
                                                                • Opcode Fuzzy Hash: e02ad5263c43b13dac4e0d178338362ee8e674007681e7736d492d987b29252f
                                                                • Instruction Fuzzy Hash: 2E52C616E2466986DB78CB39DC1169FA2B3EF58300F04D8FD940DE7664F6704AC99B0E
                                                                Function 3BEB4BA0 Relevance: .6, Instructions: 628COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 195be972f1d730d91b1026e7e7e534d91ecea1062958c06adb46027cc3a40fa6
                                                                • Instruction ID: 4fb4ae0acd37c307cc754f8b30f80899e287f1d67dbe89d36e5b91ac8e0cc66c
                                                                • Opcode Fuzzy Hash: 195be972f1d730d91b1026e7e7e534d91ecea1062958c06adb46027cc3a40fa6
                                                                • Instruction Fuzzy Hash: 8B42B312E2466986DB78CB39DC1169FA2B3EF58300F05D8FD940DF7664F6704A899B0E
                                                                Function 3BEB41E6 Relevance: .6, Instructions: 622COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b50e2cf1520ae2bb021e77a9aee82c7730d8c758ac6b8f61034498411b68bd55
                                                                • Instruction ID: 48bf1735ff8579a4b94b894a6080895fb507776d3cb18c25fda20e88728f92cc
                                                                • Opcode Fuzzy Hash: b50e2cf1520ae2bb021e77a9aee82c7730d8c758ac6b8f61034498411b68bd55
                                                                • Instruction Fuzzy Hash: 1042C616A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DE3664F6704AC99B0E
                                                                Function 3BEB4155 Relevance: .6, Instructions: 621COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a58029a32e3ae80a5fcb53a12f6ba9a33169204e0740b3b193ae917c06cc3ff
                                                                • Instruction ID: 4cfba287b7eefd83734ef1e6127c15c804de994aa1bee1bb6be3923eac00eda7
                                                                • Opcode Fuzzy Hash: 2a58029a32e3ae80a5fcb53a12f6ba9a33169204e0740b3b193ae917c06cc3ff
                                                                • Instruction Fuzzy Hash: FC42B512A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB45B1 Relevance: .6, Instructions: 620COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46b480305a4903cb3d57e3560f603391edfa14a395c5bb5888444e64f254d57e
                                                                • Instruction ID: ec60b14d78073ac43c012481cc23090da987a982f0f427e08d0b19fae34b2907
                                                                • Opcode Fuzzy Hash: 46b480305a4903cb3d57e3560f603391edfa14a395c5bb5888444e64f254d57e
                                                                • Instruction Fuzzy Hash: B142B512A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DE7664F6704AC99B0E
                                                                Function 3BEB41F4 Relevance: .6, Instructions: 617COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 958caebf3c909686afe66b4fca4366fd237c9a0c17c975b157e4514bf1d0d591
                                                                • Instruction ID: 448af4a5a0984e7975b5c979df479dff1da60906d577d4bf13944a2a84d59398
                                                                • Opcode Fuzzy Hash: 958caebf3c909686afe66b4fca4366fd237c9a0c17c975b157e4514bf1d0d591
                                                                • Instruction Fuzzy Hash: DE42C516A2466986DB78CB39DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4BDC Relevance: .6, Instructions: 614COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15b320a4e12227806e836458203e605335f636a78f02788f222a048caacf3c2a
                                                                • Instruction ID: 6b71e435b181a7ed9dda20d4b9f821338ffa78d0563d67ab3df6ff7ce49431aa
                                                                • Opcode Fuzzy Hash: 15b320a4e12227806e836458203e605335f636a78f02788f222a048caacf3c2a
                                                                • Instruction Fuzzy Hash: 9A42A312E2466986DB78CB39DC1169FA2B3EF58300F05D8FD940DE7664F6704AC99B0E
                                                                Function 3BEB4174 Relevance: .6, Instructions: 613COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 027654de364b2a499c5260a5da76652f652b28d684eb9e341d23cbc8b08444ac
                                                                • Instruction ID: dd451640cab9ebebbf947e696c68ff25957900cc732cf56079804fbfc62b58eb
                                                                • Opcode Fuzzy Hash: 027654de364b2a499c5260a5da76652f652b28d684eb9e341d23cbc8b08444ac
                                                                • Instruction Fuzzy Hash: 8B42C512A2466986DB78CB39DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB40B6 Relevance: .6, Instructions: 613COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a3ae2e5f62207797aa623202d320ba10f3064d7bf67d43d48157e8d72eb7eb0f
                                                                • Instruction ID: fb82af8ffd0a65a2f91905a3b1e1360b197725b67678bf76b505393c7c914965
                                                                • Opcode Fuzzy Hash: a3ae2e5f62207797aa623202d320ba10f3064d7bf67d43d48157e8d72eb7eb0f
                                                                • Instruction Fuzzy Hash: A742C512A2466986DB78CB39DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB461C Relevance: .6, Instructions: 600COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f9ad59e0b4a6ddb01c31e2ff6bc38ce07b4524d8499eb671735305a5ce0f63b6
                                                                • Instruction ID: b179bd0ae0ecd1a3b8f921d3aa9179185a937464ad2a32e54f91c5d0b45cde98
                                                                • Opcode Fuzzy Hash: f9ad59e0b4a6ddb01c31e2ff6bc38ce07b4524d8499eb671735305a5ce0f63b6
                                                                • Instruction Fuzzy Hash: 1F42B516A2466986DB78CB79DC1129FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB3A9A Relevance: .6, Instructions: 596COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 43e43047d96bd8fdf89e7b967bdd5215594aa3ecb9b60a9821df96cd253c2e59
                                                                • Instruction ID: 46561edf0514077cd8941c18c8beac8106da09fbd3b4ff412bfd36a67209075c
                                                                • Opcode Fuzzy Hash: 43e43047d96bd8fdf89e7b967bdd5215594aa3ecb9b60a9821df96cd253c2e59
                                                                • Instruction Fuzzy Hash: C0429512A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB3A14 Relevance: .6, Instructions: 593COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 778af2e9367e54bfebc0ed1c0b3181fd8fba3d44f95bb9eed05216895a01096e
                                                                • Instruction ID: 86bd064babacad0416d6d6fd3dbfb0051e543986e3ac45372a948cea62942cc9
                                                                • Opcode Fuzzy Hash: 778af2e9367e54bfebc0ed1c0b3181fd8fba3d44f95bb9eed05216895a01096e
                                                                • Instruction Fuzzy Hash: D942A512A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4D1E Relevance: .6, Instructions: 589COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 423039d1ed93768a6da9b6d9a50670f5783d0a03a2d24fcc7babbba66be33c34
                                                                • Instruction ID: 6decbb8c8be872071cc28c87a03047e10e90ad91afffaec5973e54d041adeef9
                                                                • Opcode Fuzzy Hash: 423039d1ed93768a6da9b6d9a50670f5783d0a03a2d24fcc7babbba66be33c34
                                                                • Instruction Fuzzy Hash: D042A412A2466987DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704A899B0E
                                                                Function 3BEB4CF9 Relevance: .6, Instructions: 586COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 06e198531bca682c0e6a334e34a51219d10fed6ef348be7f4a271bab048c2525
                                                                • Instruction ID: 8a44dac6d4ffb6568d88f1f2e5d753fc9bc2c239fb5e2781b0d7a57a7fd198b6
                                                                • Opcode Fuzzy Hash: 06e198531bca682c0e6a334e34a51219d10fed6ef348be7f4a271bab048c2525
                                                                • Instruction Fuzzy Hash: 5342A412A2466986DB78CB79DC1129FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4CF6 Relevance: .6, Instructions: 586COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 64de4c36bba4274c335fe3fc82e6ccff8b4f10cfb1c2c18ac7fde06db0f93f52
                                                                • Instruction ID: fe513fbbf32a02aef760657581636fc3b886637e871e521fec743c26a60495a1
                                                                • Opcode Fuzzy Hash: 64de4c36bba4274c335fe3fc82e6ccff8b4f10cfb1c2c18ac7fde06db0f93f52
                                                                • Instruction Fuzzy Hash: F142A412A2466986DB78CB79DC1169FA2B3AF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB3DE4 Relevance: .6, Instructions: 583COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e5f9d83e850b5b465ae3f6f99bb3024d845f713aa4a85bfb8b133f12f1fb832d
                                                                • Instruction ID: acea215d9b8a2c639eec05cafb6f236f769b36e6d4e5c1b2ff2dcce5c9135c7f
                                                                • Opcode Fuzzy Hash: e5f9d83e850b5b465ae3f6f99bb3024d845f713aa4a85bfb8b133f12f1fb832d
                                                                • Instruction Fuzzy Hash: 4E429516A2466986DB78CB79DC1129FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB3DF2 Relevance: .6, Instructions: 582COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5aa72bdebd5d8774cadf334b9a44f24f8e708f15d9682b7d029d80f7c0cf9c12
                                                                • Instruction ID: 1ad34c21daa2d921f4e2919d39801cd7f7ce248ac4bc13784632b1d4b86d894d
                                                                • Opcode Fuzzy Hash: 5aa72bdebd5d8774cadf334b9a44f24f8e708f15d9682b7d029d80f7c0cf9c12
                                                                • Instruction Fuzzy Hash: 7E42A512A2466986DB78CB79DC1129FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4D08 Relevance: .6, Instructions: 582COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 07a6b9af00aa6b5addb2034024adf425b2db825dd1cf4e696e7218e765569c4c
                                                                • Instruction ID: 1f6572e48835dbbc6e61420152056692ae8f83275ccbc9fff964782a808d1f4e
                                                                • Opcode Fuzzy Hash: 07a6b9af00aa6b5addb2034024adf425b2db825dd1cf4e696e7218e765569c4c
                                                                • Instruction Fuzzy Hash: DF42A416A2466987DB78CB79DC1129FA2B3AF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4C51 Relevance: .6, Instructions: 581COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6edf4ff80c5186d7c465df4ca28dd7e431a386f84f280900057186c49d64aa27
                                                                • Instruction ID: 7e5202ef97bf8d5a85f09c9c0a8cbe92bb53e13f6423c1276c2f79d2811dbfa9
                                                                • Opcode Fuzzy Hash: 6edf4ff80c5186d7c465df4ca28dd7e431a386f84f280900057186c49d64aa27
                                                                • Instruction Fuzzy Hash: 6E429416A2466987DB78CB79DC1129FA2B3EF58300F04D8FD940DF7664F6704A899B0E
                                                                Function 3BEB515D Relevance: .6, Instructions: 580COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7506965c8956c9522cb5ad1671b9a2be9bb744c6186d22e37f8e5331b8ea94af
                                                                • Instruction ID: 8a9fda839145d317842585d161baca8b1e14619e234a0ee85bc4f9d159ceb73c
                                                                • Opcode Fuzzy Hash: 7506965c8956c9522cb5ad1671b9a2be9bb744c6186d22e37f8e5331b8ea94af
                                                                • Instruction Fuzzy Hash: 2042A412A2466986DB78CB79DC1169FA2B3AF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4666 Relevance: .6, Instructions: 578COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 592ce802872181b0cb1209d126dd78f173533e5f2f12401b807aa78a459fefb4
                                                                • Instruction ID: 0e352e61fcf78d8a6fab30b64cd2b81f10c6509641e4a9a0c5a2eae9f4100ee3
                                                                • Opcode Fuzzy Hash: 592ce802872181b0cb1209d126dd78f173533e5f2f12401b807aa78a459fefb4
                                                                • Instruction Fuzzy Hash: EC42A512A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4D9B Relevance: .6, Instructions: 578COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 06d3ed0f8cf187ee04761edeb0da165f4ab27256d0b76234c938bf774b390bb8
                                                                • Instruction ID: 3ab763e024bb02e9d68c6b2166b47840fbd554aca72757c28bdcd7fdbf649465
                                                                • Opcode Fuzzy Hash: 06d3ed0f8cf187ee04761edeb0da165f4ab27256d0b76234c938bf774b390bb8
                                                                • Instruction Fuzzy Hash: 0742A412A2466987DB78CB79DC1129FA2B3AF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB3E09 Relevance: .6, Instructions: 576COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c638d9780fa64fa48e80259df8e3e293d456f4716728fd62fdedd40f1b01eb35
                                                                • Instruction ID: 6e36c038dfea649a8423e71a97668fe42e016e356258b98d3948c5f87c903291
                                                                • Opcode Fuzzy Hash: c638d9780fa64fa48e80259df8e3e293d456f4716728fd62fdedd40f1b01eb35
                                                                • Instruction Fuzzy Hash: BD429412A2466986DB78CB79DC1169FA2B3EF58300F04D8FD940DF7664F6704AC99B0E
                                                                Function 3BEB4C66 Relevance: .6, Instructions: 576COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd09a76c61b781f371fe4427c7b9909b83b3685d8f477569ba6ac9d848e8ed0f
                                                                • Instruction ID: cb10dac8ebfe84e1e1aea7512ebd4c1598c71b0b834716817985f808a03d2904
                                                                • Opcode Fuzzy Hash: fd09a76c61b781f371fe4427c7b9909b83b3685d8f477569ba6ac9d848e8ed0f
                                                                • Instruction Fuzzy Hash: 6242A412A2466987DB78CB79DC1129FA2B3AF58300F04D8FD940DF7664F6704A899B0E
                                                                Function 3BEB4C92 Relevance: .6, Instructions: 573COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef627ac3f6e8f67043b2491845b9a7e22600a9eb87b3e74e4a9bd86f4dc3d219
                                                                • Instruction ID: 4507a445e7b8e9211cddc1637a998d1d84b65d20244d2086ca9a91915d7712c4
                                                                • Opcode Fuzzy Hash: ef627ac3f6e8f67043b2491845b9a7e22600a9eb87b3e74e4a9bd86f4dc3d219
                                                                • Instruction Fuzzy Hash: 5A429416A2466987DB78CB79DC1129FA2B3EF58300F04D8FD940DF7664F6704A899B0E
                                                                Function 00890607 Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 73memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 94 890607-89fcd8 VirtualAlloc 99 89fcda 94->99 100 89fcdf-89fdbf call 89fdc0 94->100 101 8b5d06-8b5d1d 99->101 100->101
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: C$G$T$a$d$e$e$e$h$n$o$r$t$t$t$x
                                                                • API String ID: 4275171209-902913966
                                                                • Opcode ID: d82efc5077e4cb8f940cf63e6443f08b7563a7672d75b281068d14c4a0cdac30
                                                                • Instruction ID: 03eff4bfdd7cfa3d320ea45edfe6fb1c4b0f5613babfe2020d6ed4145178e84f
                                                                • Opcode Fuzzy Hash: d82efc5077e4cb8f940cf63e6443f08b7563a7672d75b281068d14c4a0cdac30
                                                                • Instruction Fuzzy Hash: DC317850C486DCCDEB218615CC087D9BFE1BB52319F0881E9C5C966282CBBB1ED4CFA2
                                                                Function 3BEBDC25 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: ea2726212cf36c4f0a508114a5e93c178df1c6a49787c28a2ed162b384f28155
                                                                • Instruction ID: c301289ae32f43b82ddb3447624f4aa9de1daf31eeacc2ce74d7eefb833b54c8
                                                                • Opcode Fuzzy Hash: ea2726212cf36c4f0a508114a5e93c178df1c6a49787c28a2ed162b384f28155
                                                                • Instruction Fuzzy Hash: DC5104B2D082689EFB24C718DC59BDB7B78DB81714F0840FAD94C16280D67D5ED58EA3
                                                                Function 3BEBDBAB Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: ddb7bccc116bdbe94f2487397e8be9ed4cc79195d95d94e3b003af1e92a832ab
                                                                • Instruction ID: 42f01c4dd40232fa062b302453edb29d6a63444171ccc369169394b4ff7f0333
                                                                • Opcode Fuzzy Hash: ddb7bccc116bdbe94f2487397e8be9ed4cc79195d95d94e3b003af1e92a832ab
                                                                • Instruction Fuzzy Hash: DB51F9B1D082689EFB248728DC49BDB7B74EB91714F0440FAD44D16281D67D5EC68FA3
                                                                Function 3BEBDC4E Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 143COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: d9297f27eb320548d5510cab110dc0976b1d6eb0051995f108286623b9f03be1
                                                                • Instruction ID: d3139e9a8b13dca97a76f61522ca653b362d7cb1e1068b48c5d79f7dca04f270
                                                                • Opcode Fuzzy Hash: d9297f27eb320548d5510cab110dc0976b1d6eb0051995f108286623b9f03be1
                                                                • Instruction Fuzzy Hash: B75105B1D082689EFB24C728DC49BEB7B74AB51714F0440FAD84C16281D6795EC58FA3
                                                                Function 3BEBE025 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 322c783329bcc2983e533410743b8fa6ce166e40282c321a49490cb5e858d512
                                                                • Instruction ID: e154a4aeebaef99965765db6c8d0cd0e1ac03480ccef939e4723694e50bc3cce
                                                                • Opcode Fuzzy Hash: 322c783329bcc2983e533410743b8fa6ce166e40282c321a49490cb5e858d512
                                                                • Instruction Fuzzy Hash: 014108B2D082A89EFB248728DC49BDB7F68DB51710F0400FAD84C16281D67D5FD58AA3
                                                                Function 3BEBDBEC Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 4defacf141bbfd44142c436516b804d60fdcf417726a7344f93bee79191f3df3
                                                                • Instruction ID: c992998db1305f42b037c82ad36f8455692a062393d04db5b7d3eebc97abedca
                                                                • Opcode Fuzzy Hash: 4defacf141bbfd44142c436516b804d60fdcf417726a7344f93bee79191f3df3
                                                                • Instruction Fuzzy Hash: 2141F5B1D0C2A89AFB24C728DC49BDB7F74AB91710F0840FAD44C16281D67D5AC68FA3
                                                                Function 3BEBDC75 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 1f6d4758d9ebff923557b00a34cf570b48c8a23050b5d15901241565f4359b9e
                                                                • Instruction ID: ddd9f6e956be370ca3cba855a4d873980d76c16b409a2c69088f7dab7094d9d0
                                                                • Opcode Fuzzy Hash: 1f6d4758d9ebff923557b00a34cf570b48c8a23050b5d15901241565f4359b9e
                                                                • Instruction Fuzzy Hash: 4241F5B1D0C2A89EFB248728DC59BEB7F749B41714F0840FAD44D16281D67D5EC58BA3
                                                                Function 3BEBDB42 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 4c14ede1e96190d2c3dc6a99c705509ab44c6d77ff3013459abb8ca33e2cf27f
                                                                • Instruction ID: 716d9848de01d787c7e59117c8ed9a63313bcee2b73dea4c5ac9c14a137ea7ce
                                                                • Opcode Fuzzy Hash: 4c14ede1e96190d2c3dc6a99c705509ab44c6d77ff3013459abb8ca33e2cf27f
                                                                • Instruction Fuzzy Hash: FC41E5B1D082A89AFB24C728DC49BDB7B74AB41714F0440FAD84D16281D67D5ED68FA3
                                                                Function 3BEBDC06 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 63136d7b5147379d68a01dc19f9929eca3b52eaf782c97765a0eafeaa6c4fef0
                                                                • Instruction ID: e2e75eb23d1ebbcfea06d3d7f48de946e9eb7715e30c88b5033c18662ed54d3e
                                                                • Opcode Fuzzy Hash: 63136d7b5147379d68a01dc19f9929eca3b52eaf782c97765a0eafeaa6c4fef0
                                                                • Instruction Fuzzy Hash: D341F4B1D082A89AFB24C728DC49BDB7B74AF51710F0840FAD84C16281D67D5ED68FA3
                                                                Function 3BEBD569 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: eb165844d20164fe60918f2b881a0ce7d4ec3ef8043857187399f09a3ce7c788
                                                                • Instruction ID: 027179dd9026525e02d8d971c713e9bd0f5dcd0fd7a8d4b224981409406c18a9
                                                                • Opcode Fuzzy Hash: eb165844d20164fe60918f2b881a0ce7d4ec3ef8043857187399f09a3ce7c788
                                                                • Instruction Fuzzy Hash: 024106B2D0C2A89AFB248728DC49BDB7F74AB51714F0800FAD44C16281D67D5ED68FA3
                                                                Function 3BEBCCE9 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 17b541020c4e4771dc995c80583ba65604a53208e4a8a43109cf4fb5addc4ab4
                                                                • Instruction ID: 01dacf853391698ec37bd80e2612ac53720a96fe5e4ac8948ed1ff7811484e53
                                                                • Opcode Fuzzy Hash: 17b541020c4e4771dc995c80583ba65604a53208e4a8a43109cf4fb5addc4ab4
                                                                • Instruction Fuzzy Hash: 9C41F6B1C0C2A89AFB248728DC49BDB7E64AB41714F0800FAD84D16281D67E5BD58BA3
                                                                Function 3BEBDB7B Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 5438c3b9bcf6c2a69e8c448a2b21aa1f06211d9938ef59cccaac7db2c5cd728a
                                                                • Instruction ID: 0841990237e35b17f336d8fe0d79f4d9e2ad10eeec08a1acbbf23e914250c472
                                                                • Opcode Fuzzy Hash: 5438c3b9bcf6c2a69e8c448a2b21aa1f06211d9938ef59cccaac7db2c5cd728a
                                                                • Instruction Fuzzy Hash: CE41E3B1D082A89AFB248728DC49BDB7B78AB51714F0800FAD84C16281D67D5ED58FA3
                                                                Function 3BEBD564 Relevance: 21.1, APIs: 1, Strings: 13, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CloseHandle.KERNELBASE(?), ref: 3BEBE09D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: 5P5M$C$F$W$_W$a$e$e$e$i$l$r$t
                                                                • API String ID: 2962429428-3741801046
                                                                • Opcode ID: 4e06b58ba96e5ace161f1916feb9944e6108d49ab3d8453ed04ba01d09d58737
                                                                • Instruction ID: 3e22502358bd491e74b105627a8556c5df6c45a19cbdec01f2ec899dd7bfc0fe
                                                                • Opcode Fuzzy Hash: 4e06b58ba96e5ace161f1916feb9944e6108d49ab3d8453ed04ba01d09d58737
                                                                • Instruction Fuzzy Hash: EA41F6B1C0C2A89AFB248728DC09BDB7E649B41714F0840FAD44C16281D67E5ED58FA3
                                                                Function 3BEBC143 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 74registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?,?,?,3BEBC0E0,?,?,?,?,3BEBBBF0,3BEB969B,?), ref: 3BEBC1BF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Value
                                                                • String ID: C$H$a$d$e$e$l$l$n$o$s
                                                                • API String ID: 3702945584-2848555115
                                                                • Opcode ID: edb567c4d405c8c125092bce87387bbadf313e197d0d1ebb8806aa53d65049a3
                                                                • Instruction ID: 627444ea62e9caeb9a024cab4d18935a32938c94d82b1340ef1e5f62e3d0c28d
                                                                • Opcode Fuzzy Hash: edb567c4d405c8c125092bce87387bbadf313e197d0d1ebb8806aa53d65049a3
                                                                • Instruction Fuzzy Hash: AF31C671D08A998EEB18CA28CC54BEABBB29B41305F0441EDD14C67281D6BA1FC6CF21
                                                                Function 3BEC39A0 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 3141dec147b558d62405240489b1ff15c4184e45e55e9d0543e5dd0558e22c4b
                                                                • Instruction ID: 41fa5d9adfdf1f4dc7cf7666e1d03c3eb339a718b6a7603c42fbbf594df49d40
                                                                • Opcode Fuzzy Hash: 3141dec147b558d62405240489b1ff15c4184e45e55e9d0543e5dd0558e22c4b
                                                                • Instruction Fuzzy Hash: 225125B1C086949FE7218A24CC947DBBFB5EF82315F1440FAC54D5A281D27A4AC6CB22
                                                                Function 3BEC3A16 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 147memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 41cc12e3f37aa8b4cbd49388fdff73f92e74825ada55826acc8b6e96cb0f9759
                                                                • Instruction ID: 5191d31a6d03cb2bd230287d948d457742ca6455b4a0134eb8dcaec2fb8cfe27
                                                                • Opcode Fuzzy Hash: 41cc12e3f37aa8b4cbd49388fdff73f92e74825ada55826acc8b6e96cb0f9759
                                                                • Instruction Fuzzy Hash: 1B5148B2C087949FF7218624DD94BDBBF75EF92704F1440FAD54D5A281D6BA0BC1CA22
                                                                Function 3BEC39E1 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 1ab85169e5283b87be0723a637f2047cc87a8f4f4395c44928ae34f695379456
                                                                • Instruction ID: deb3449515a873ac73a2cb6aa5341366c8687f20b1c90da8f3a5c38410ee3c2b
                                                                • Opcode Fuzzy Hash: 1ab85169e5283b87be0723a637f2047cc87a8f4f4395c44928ae34f695379456
                                                                • Instruction Fuzzy Hash: DE514CB1C097949FF3218628DD957DB7F75AF82704F1400FAC54D5A281D2BA4BC5CB62
                                                                Function 3BEC3A30 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 143memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 7904322ccc2628d201d8326f4c62d4224f80ceb5d94975cf54b6622a622109d5
                                                                • Instruction ID: 8320a4700a3ee7e07a7d94ae1bf240092ecee6030e28a70850a0bb29fbd0cec0
                                                                • Opcode Fuzzy Hash: 7904322ccc2628d201d8326f4c62d4224f80ceb5d94975cf54b6622a622109d5
                                                                • Instruction Fuzzy Hash: 245147B1C046A49FF3218625DD88BDBBF75EF82704F1400FAD54D66281D2BA0BC1CA62
                                                                Function 3BEC3A3B Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 138memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 30d72032d7fcb36dd7c1532728cce3d959da61ef05a18c806bd9c6943fdf3140
                                                                • Instruction ID: d90645b9463051faaf3d7b42ff59c8adc76cf74b96ee8a19c2cb5380e0e5ad48
                                                                • Opcode Fuzzy Hash: 30d72032d7fcb36dd7c1532728cce3d959da61ef05a18c806bd9c6943fdf3140
                                                                • Instruction Fuzzy Hash: B45146B2C046A49FF7218628DD84BDBBF75AF82705F1400FAD54D66281D2BA0BC1CF62
                                                                Function 3BEC3A68 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 131memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 61db9a7b50d170d37c675933f2721a7f3ee4c2dabc97a5208ae357cc764a9919
                                                                • Instruction ID: ab395aeb75a8291aad3f28fe001a032987a1bea0edf2c75e7ae4302fa0ea44e5
                                                                • Opcode Fuzzy Hash: 61db9a7b50d170d37c675933f2721a7f3ee4c2dabc97a5208ae357cc764a9919
                                                                • Instruction Fuzzy Hash: 7D4136B2C086A49FF3218624DC95BDBBF75AF92715F1400FAD54D1A281D2BA0BC1CB62
                                                                Function 3BEC39F4 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 121memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 7ea7f55bef0f78ade4f06369be76c9845dc51543b7c7060e6ea3de02a0614b5b
                                                                • Instruction ID: f2648983d746ffc65ea85dcdc2d8c2ca7c076a9c2f91992921deafb80c266987
                                                                • Opcode Fuzzy Hash: 7ea7f55bef0f78ade4f06369be76c9845dc51543b7c7060e6ea3de02a0614b5b
                                                                • Instruction Fuzzy Hash: 714137B1D086949FF7218625DC897DBBF75AF92705F1400F9D54D5A281D2BA0BC1CF22
                                                                Function 3BEC3936 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 121memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: a731e432bd37d839fc8ec193ce9b251205cd9bb0238adbb90797d4b789d16cb5
                                                                • Instruction ID: 152c454d80641c3712396b26495d69c077c485ba8dc10adbfb1348bb169e64db
                                                                • Opcode Fuzzy Hash: a731e432bd37d839fc8ec193ce9b251205cd9bb0238adbb90797d4b789d16cb5
                                                                • Instruction Fuzzy Hash: E04149B2C092A49FF7218624DC957DBBF75AF92705F1400F9C54D1A281D2BA0BC1CF62
                                                                Function 3BEC3E48 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 120memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 529d7e5447e120ba61df0b1e12f795e1f9cfde3fbe69496b2375f69555bbd19d
                                                                • Instruction ID: 799970ee4c70e0a9071e9eaed243ab0b6855e9942c1f3984344723027d219c63
                                                                • Opcode Fuzzy Hash: 529d7e5447e120ba61df0b1e12f795e1f9cfde3fbe69496b2375f69555bbd19d
                                                                • Instruction Fuzzy Hash: 474149B1C082A49FF7218624DC85BDBBF75AF92715F1440FAC54D1A281D2BA0BC1CF62
                                                                Function 3BEC2ADB Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 119memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 023a0cbf1f71054875a8b6face02e6ad2f281ff22ac6ce6c96b586584fd9b362
                                                                • Instruction ID: 6e518e51c4a7298ddb7764693893ed5052a04fc6356ed96673ba98703163d661
                                                                • Opcode Fuzzy Hash: 023a0cbf1f71054875a8b6face02e6ad2f281ff22ac6ce6c96b586584fd9b362
                                                                • Instruction Fuzzy Hash: CF4159A2C083949FF3218624DC99BD7BF75DF92715F1400F9D54D5A281D2BA0BC1CB22
                                                                Function 3BEC3968 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 118memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: e4e65e63fb9d55602adcc2f0a85e4d13e558049cc347d8fa74676ab262af103e
                                                                • Instruction ID: 6f775729bdfc3fa4cf3e5500fbcd069c39a1534226837f2ed4423152d27237a0
                                                                • Opcode Fuzzy Hash: e4e65e63fb9d55602adcc2f0a85e4d13e558049cc347d8fa74676ab262af103e
                                                                • Instruction Fuzzy Hash: 9F4127B1D096A49FF7218624DC99BDBBF75AF92705F1400F9D54D1A281D2BA0BC1CF22
                                                                Function 3BEC3356 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 117memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,39335C83,00003000,00000004), ref: 3BEC3E85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: F$R$^S$a$d$e$e$i$l
                                                                • API String ID: 4275171209-2377276599
                                                                • Opcode ID: 1d96e366ad7ae2cfa47566351e481602f0f91ddc3d4e29037e6cf0c91c6741e8
                                                                • Instruction ID: e2885ece506147528feae6806952333baa4a5378810d5bfa93c63f6e400125c4
                                                                • Opcode Fuzzy Hash: 1d96e366ad7ae2cfa47566351e481602f0f91ddc3d4e29037e6cf0c91c6741e8
                                                                • Instruction Fuzzy Hash: DD4157B2C083949FF3218624DC59BD7BFB5AF92715F1400F9D54D5A281D2BA0BC1CB62
                                                                Function 3BEB9BFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: 557C$Qh?
                                                                • API String ID: 71445658-219458933
                                                                • Opcode ID: 3cb653597bc64d961f8f4ae0a1d08e0bbc5b2a95d2a0e29e8a3dee2843e3208e
                                                                • Instruction ID: fa1ba82a78c41ffdc5be78f7784d0c1a6f2f17bddbdbace1c69e968a90c4dfdf
                                                                • Opcode Fuzzy Hash: 3cb653597bc64d961f8f4ae0a1d08e0bbc5b2a95d2a0e29e8a3dee2843e3208e
                                                                • Instruction Fuzzy Hash: AC11E2FAD143189EFB14CB18CC44BFA76B5EB84310F00E1BAD58996680DA399EC58E52
                                                                Function 3BEB7A94 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: K
                                                                • API String ID: 4241100979-856455061
                                                                • Opcode ID: d17a66c6a1fb85ad1f00bd7f9ef20fde77fd129ea050c0d1258e21f55d8bd975
                                                                • Instruction ID: a61ebb541d81c86e1a94be9a3477989e4ab68bee628c297859d91c9b46b0c52f
                                                                • Opcode Fuzzy Hash: d17a66c6a1fb85ad1f00bd7f9ef20fde77fd129ea050c0d1258e21f55d8bd975
                                                                • Instruction Fuzzy Hash: 2551F0B0D0C3985AEF14CB18DDD07AA7BBAEB45305F1840EACA4D56B42DA385BC18E12
                                                                Function 008A97F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 008A9AA6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Qj@h
                                                                • API String ID: 544645111-2762301250
                                                                • Opcode ID: 67f4bec60b06c6ed6250d2ffa7673ac6eafed5faca09221bfa6102c621714b21
                                                                • Instruction ID: 169ca5acf6e0d1536c7671a08f232e09f9ad874ee3ff50acc705e12ea7340d27
                                                                • Opcode Fuzzy Hash: 67f4bec60b06c6ed6250d2ffa7673ac6eafed5faca09221bfa6102c621714b21
                                                                • Instruction Fuzzy Hash: A5510B71E095689FE724CA14CC94BEBBB75FF82301F1880FED58A96641D6386EC48F91
                                                                Function 3BEB6667 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: ;ZQS
                                                                • API String ID: 4241100979-914843521
                                                                • Opcode ID: 2a60bbca95aa46d13a933386d657eaf3397486c2e2617a7e6b4dbfda275d0657
                                                                • Instruction ID: ad41866a012368e11f3d71e736d9a07ec0621b744dc602bf13ad100b44ecefee
                                                                • Opcode Fuzzy Hash: 2a60bbca95aa46d13a933386d657eaf3397486c2e2617a7e6b4dbfda275d0657
                                                                • Instruction Fuzzy Hash: 6041E6A1D1C3589EEF14CB28DC446EABB75EF84700F1481EAD50D96295EA381AC08F16
                                                                Function 00541A3F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID: >9MJ
                                                                • API String ID: 3070290716-3386120023
                                                                • Opcode ID: 1e3ca6a2eb1fbbdb94920b2adb9bed1a38b8a3d3ba7fd2f160861eebe2c7d90e
                                                                • Instruction ID: 2a4afc837041121e3bfe3334d9db2c67196c281d4cafe6a74e2ba7233e38de6f
                                                                • Opcode Fuzzy Hash: 1e3ca6a2eb1fbbdb94920b2adb9bed1a38b8a3d3ba7fd2f160861eebe2c7d90e
                                                                • Instruction Fuzzy Hash: 3151BEB2D156289BE728CF14CD94BEABBB5FB90304F14C1E9D40D6A784D6386EC58F44
                                                                Function 008A98B3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 008A9AA6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Qj@h
                                                                • API String ID: 544645111-2762301250
                                                                • Opcode ID: 0a1ef45a37b0ae3ec12c27a84a993e95d202f66eacf545d0da283d9f6d85b83f
                                                                • Instruction ID: cd9e2757867d4ee9eef2d37cea35e685e7aeb5e3df58f4c50f618ceedc367ab5
                                                                • Opcode Fuzzy Hash: 0a1ef45a37b0ae3ec12c27a84a993e95d202f66eacf545d0da283d9f6d85b83f
                                                                • Instruction Fuzzy Hash: 14413A71D095689FEB248A18CC947EBBB74FF83301F1840EED98E96641E6346E84CF91
                                                                Function 008A94F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtectEx.KERNELBASE(?,?,00001000,00000040,?), ref: 008A9AA6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Qj@h
                                                                • API String ID: 544645111-2762301250
                                                                • Opcode ID: 95a147c2ad3653fd1d04446b0087763719bd6beff2265509358a2c56fa8c8b8a
                                                                • Instruction ID: 3160b1059b44bb8ef186d8bc0f2c8b89683da5a4c9e515d2f0c7659dff6fc5fb
                                                                • Opcode Fuzzy Hash: 95a147c2ad3653fd1d04446b0087763719bd6beff2265509358a2c56fa8c8b8a
                                                                • Instruction Fuzzy Hash: 3E41F7F1D0C2189FFB248B68DC85ADBB774FB46314F2041AAE989D7640E6356E81CE52
                                                                Function 005487DD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: =M<4
                                                                • API String ID: 544645111-151022777
                                                                • Opcode ID: 6b449beb5ec40ea697394cf505f180c7ebe87447f53f60f71666c0006ac580c9
                                                                • Instruction ID: 8c6a14a01cc8813a3283c3d0cecb2b8429e1b1d1bbf78ec5efad4d07a39c6fe3
                                                                • Opcode Fuzzy Hash: 6b449beb5ec40ea697394cf505f180c7ebe87447f53f60f71666c0006ac580c9
                                                                • Instruction Fuzzy Hash: B13124B1D042199FEB208A24CC84BFE7B75FB90308F1481FAD54A6A682DE301ED5CF52
                                                                Function 00898911 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: Qj@h
                                                                • API String ID: 544645111-2762301250
                                                                • Opcode ID: a4bd46a351042099f9468f9fafc46c686f1723983553f78a6fcff9809e707954
                                                                • Instruction ID: 4a313a9f8a601924728c80626d7d94a172188046b38d7e3688ba754b2f833a8a
                                                                • Opcode Fuzzy Hash: a4bd46a351042099f9468f9fafc46c686f1723983553f78a6fcff9809e707954
                                                                • Instruction Fuzzy Hash: 483125B1C0C3A59FEB2156789C956EBBBA4FF02314F1400AAD589D2942D2356E85CB63
                                                                Function 3BEB671C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: A2L:
                                                                • API String ID: 4241100979-3217229825
                                                                • Opcode ID: e30be1e314151d5dd159db7691d13d1b836159c35da81fcad1178ccc75eba72a
                                                                • Instruction ID: 70a65a379d4f3c2b4f965f857f7730aa1922bb1174db1727ade84ae062dcf3c5
                                                                • Opcode Fuzzy Hash: e30be1e314151d5dd159db7691d13d1b836159c35da81fcad1178ccc75eba72a
                                                                • Instruction Fuzzy Hash: 1731E5B1D1D3A89EEF24CB68DC447EABB74EF85700F1081EAD44D9A155EA780AC5CF12
                                                                Function 3BEB76E4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: ;GM^
                                                                • API String ID: 4241100979-3133109826
                                                                • Opcode ID: 84b5d8deae7373197ffdb3b76443b1e1e566bdebe1fdbd7deb08a4906065d452
                                                                • Instruction ID: 55d0a1baf73a0e5c0ab768ed1c4db9a95f781c58f6ba26c14b5cceee7c0d6b07
                                                                • Opcode Fuzzy Hash: 84b5d8deae7373197ffdb3b76443b1e1e566bdebe1fdbd7deb08a4906065d452
                                                                • Instruction Fuzzy Hash: C431F8F1C093A85FEB20DB54CC90ADA7B74DF85704F1581FAD98C66641DA344EC6CB92
                                                                Function 0089B8FD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 4455b64cdea1b26f6edff0b999ce5551bc52efe780797bddcb0211565cb0704c
                                                                • Instruction ID: b5917230019067a8f11773b809cbb3c0b0f32867f502c9dc70e01dbe7b729b26
                                                                • Opcode Fuzzy Hash: 4455b64cdea1b26f6edff0b999ce5551bc52efe780797bddcb0211565cb0704c
                                                                • Instruction Fuzzy Hash: AE21D672E4121D9AFB348A14DD85FFA7778F704314F2841F9E90AD66C0E6355F809E90
                                                                Function 0089B913 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 904e06bd45bd9fdf50ddd58c086326ef73d7893ea4a6e4ff4d6f230e9fc175fb
                                                                • Instruction ID: f7721127fd72282b40d744a762038066964f21138db9c3e51708c5a7b4193a2c
                                                                • Opcode Fuzzy Hash: 904e06bd45bd9fdf50ddd58c086326ef73d7893ea4a6e4ff4d6f230e9fc175fb
                                                                • Instruction Fuzzy Hash: B421C072E4021DAAFB34CA24DD86BFA7778EB40300F2441F9E909AA6C0D6345F809F80
                                                                Function 005487B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID: 7;PF
                                                                • API String ID: 544645111-1099082884
                                                                • Opcode ID: 3a19ca62995d2c28e97c3dcd1b95990e7a350f8078187c2eeae706a144347792
                                                                • Instruction ID: a6874fc4fe02c79d032309a430a846c5687fb61d88b1092537850fad30f1645a
                                                                • Opcode Fuzzy Hash: 3a19ca62995d2c28e97c3dcd1b95990e7a350f8078187c2eeae706a144347792
                                                                • Instruction Fuzzy Hash: 6D2102B2D041559FEB208A24CC58BFF7AB4FB80348F2081FAE60E67681DE344EC58B51
                                                                Function 0089B99E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 2b9f4424e7420cad9edd66d7f238d336b52235b58116012885eeea81119d8876
                                                                • Instruction ID: 3f4d881008fa70051dec42cc48d1b25aa46b17ea625fd3a4f1b0ddfd81b8b681
                                                                • Opcode Fuzzy Hash: 2b9f4424e7420cad9edd66d7f238d336b52235b58116012885eeea81119d8876
                                                                • Instruction Fuzzy Hash: F911B4B2E4522D5AFB34CA54DC85FFAB778FB40304F1841F5E909A6280E7B56F809E90
                                                                Function 3BEB7C50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: K
                                                                • API String ID: 4241100979-856455061
                                                                • Opcode ID: 113ad6bb2380edc36fc4b847648b066c376f0e3ed5ca20c6d6dca9cf2380ffb3
                                                                • Instruction ID: 187194ddbf5e467e806333967b9c713888ff7423c9b63ecfa203f438c9f2afee
                                                                • Opcode Fuzzy Hash: 113ad6bb2380edc36fc4b847648b066c376f0e3ed5ca20c6d6dca9cf2380ffb3
                                                                • Instruction Fuzzy Hash: 7611DFB0C093986FEB11CB10DC807EA7B74EB46304F0940DBD48DAA642E6394ECA8F52
                                                                Function 3BEB7C65 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID: K
                                                                • API String ID: 4241100979-856455061
                                                                • Opcode ID: 6a291d858259b90ed948322e226fd18828e5b6510c0699e9ddc9ca19d3840a5b
                                                                • Instruction ID: 23edb5f167424481ce0ba802085c8f38d275b5c6a279af7f536e1178eebea862
                                                                • Opcode Fuzzy Hash: 6a291d858259b90ed948322e226fd18828e5b6510c0699e9ddc9ca19d3840a5b
                                                                • Instruction Fuzzy Hash: CE119DB0C08398AEEB108B14DC816EA7B78EB45700F0880EAD48D65641EA395EC58E52
                                                                Function 3BEB9C09 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 0198249a4045f7c3f1497b2a8630e81faab1d8669acd1561e853a4e98890e6e9
                                                                • Instruction ID: 8d2fe53cf15915831402509c5b9427a516214baa37c769fa1c706ca66eb323ed
                                                                • Opcode Fuzzy Hash: 0198249a4045f7c3f1497b2a8630e81faab1d8669acd1561e853a4e98890e6e9
                                                                • Instruction Fuzzy Hash: 9211C1B6D14318AEFB14CB28CC44BFAB6B5EB84310F00E1BAD54996680DA395EC58E11
                                                                Function 0089BD82 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 0b67a3e93217666004ff40da8b37dee503d237bef2fb6423eb3e0ff8ee471c7f
                                                                • Instruction ID: f84e58b6d8a095238746cb97e7f5f8d071ffd6ee0205144865fc9ca3dc4bc382
                                                                • Opcode Fuzzy Hash: 0b67a3e93217666004ff40da8b37dee503d237bef2fb6423eb3e0ff8ee471c7f
                                                                • Instruction Fuzzy Hash: C81173B1E4521C9AEF389A50DD52BF97774F700704F2441EAEA0AA66C0D7741FC09F51
                                                                Function 3BEBA07C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: f8526c289196378cd7bff4ec3010927700e7c0c1bc176cab9d48bfc231d53c4d
                                                                • Instruction ID: 8a3f2959ee46624c311a7adffef0dbb3f2c4da057430190a0898e889216c4645
                                                                • Opcode Fuzzy Hash: f8526c289196378cd7bff4ec3010927700e7c0c1bc176cab9d48bfc231d53c4d
                                                                • Instruction Fuzzy Hash: DF01B5F2C18718AFEF24CB18CC54AFB7A68EF40701F4061AAA88951581EE745FC1CE53
                                                                Function 0089AA2D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 3890283ce0457eb32d0766ba7cfa8f33abbd822ea9efb7c2a4984ae7506b213a
                                                                • Instruction ID: 6ac7b4418c0d557b90a710fa1ccc60c899678cdef7c39624a45a6b3596dfd2c1
                                                                • Opcode Fuzzy Hash: 3890283ce0457eb32d0766ba7cfa8f33abbd822ea9efb7c2a4984ae7506b213a
                                                                • Instruction Fuzzy Hash: 9001F772F45248AAFB34C915DC46FEE7769FB80704F6841FAFA09AA5C0D7F41B809A41
                                                                Function 0089BDAE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 66204683e165099a07daaae221ba03c19274fa427e00a6513269654286639aab
                                                                • Instruction ID: 845d9d8bfcc4f22d072e348526860ce37bcf0d8089a73e5a80af794908a3d4b8
                                                                • Opcode Fuzzy Hash: 66204683e165099a07daaae221ba03c19274fa427e00a6513269654286639aab
                                                                • Instruction Fuzzy Hash: 67017171E442589AEB38CA50DC52BF9B774FB40705F2441EEEA4AA62C0DB711B809F44
                                                                Function 0089B2AD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: f7bd3e088d5ec32d4f3b5729740d0f0a05f0531191a536fa2145f56e457d0eb8
                                                                • Instruction ID: 8e17deaae636d3e6c7993c067f08056fd7e95a3d8ce9f51d9e1ba450e1d83a46
                                                                • Opcode Fuzzy Hash: f7bd3e088d5ec32d4f3b5729740d0f0a05f0531191a536fa2145f56e457d0eb8
                                                                • Instruction Fuzzy Hash: DA01D671B4961896EF34C940DD42BFD7375FB81705F2881E5E509A99C0E7B41A805B41
                                                                Function 0089B8A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 9e5ea8e323a16d38abe5f09f51a2b246070780c19cec1e0154d0e243c047ac8b
                                                                • Instruction ID: 919dd2b8394da8eedf3f5fc6f42eaea8b5730ac6e744a6ba65d821d88e3746f7
                                                                • Opcode Fuzzy Hash: 9e5ea8e323a16d38abe5f09f51a2b246070780c19cec1e0154d0e243c047ac8b
                                                                • Instruction Fuzzy Hash: 49018471A4421D9ADB34CA50DD42BE9B778FB04700F2841E6E909E6680D3755B809F91
                                                                Function 0089A9FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: e84534659dc528a21b8cc372649596e82f120c6d65e9462b429148fe5c93b6bd
                                                                • Instruction ID: d6e59648bde95957db18d5999182ea822c33def88c9ba67e6a2252df71e7949d
                                                                • Opcode Fuzzy Hash: e84534659dc528a21b8cc372649596e82f120c6d65e9462b429148fe5c93b6bd
                                                                • Instruction Fuzzy Hash: 24012632F052189AFB348901CD05FFDB365FB80704F6841E5E509AB5C0D7F41B809E81
                                                                Function 0089B2B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 70634f26b1ae7896aab81c46e35f1fe2971a447744ae8384650db3339f45d4e5
                                                                • Instruction ID: ebe8a5d667e1cfc1aadcc70ac5b370de028c0776ab7b5f9ded4cf68ff5f601f5
                                                                • Opcode Fuzzy Hash: 70634f26b1ae7896aab81c46e35f1fe2971a447744ae8384650db3339f45d4e5
                                                                • Instruction Fuzzy Hash: 79012670B092489AEB34CA40CC42FFD7374FB81705F2C81E9E60AAA5C1D7B11A809B81
                                                                Function 3BEBA09D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 16f2fb86c47d75584d352aa26e954248e87630d4248e3aa84dc9d8df5d958252
                                                                • Instruction ID: cb1ac7982a225f6c2d093b830e28f6e30e47912af347b0d63084fc52948eccf8
                                                                • Opcode Fuzzy Hash: 16f2fb86c47d75584d352aa26e954248e87630d4248e3aa84dc9d8df5d958252
                                                                • Instruction Fuzzy Hash: D6F081F5C18318AEEF24CB18CD54AFA7A78EF40700F40A1EAA88A65540DE745FC18F13
                                                                Function 008EA09D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 008EA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 16f2fb86c47d75584d352aa26e954248e87630d4248e3aa84dc9d8df5d958252
                                                                • Instruction ID: 5a0cbcc395e2f4c2f7b4afeae50174d4673306b59e579634120c36f7d53a5a89
                                                                • Opcode Fuzzy Hash: 16f2fb86c47d75584d352aa26e954248e87630d4248e3aa84dc9d8df5d958252
                                                                • Instruction Fuzzy Hash: 68F0A4B5C1065CEEE7288A15CC04BFA7678FF41B04F1091EAA48B95541E6746FC1DF23
                                                                Function 3BEB9CD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: aa7d00d81ec189bd87bcce02e013ad21ecad6f15d85b88b15f178ff42c514edf
                                                                • Instruction ID: eaf8d74ccbeabaddc0d390f039fcb25ea9f2f24b6f7f275583a6253563d18451
                                                                • Opcode Fuzzy Hash: aa7d00d81ec189bd87bcce02e013ad21ecad6f15d85b88b15f178ff42c514edf
                                                                • Instruction Fuzzy Hash: A1F081F5914358AEEF15CB14CC44BFEBA78EF40700F40A5AAA489A6540DA755FC5CE12
                                                                Function 0089B2CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 6840c7b78c91cc49818bcc54ba458770c795cccbbb4a63c346a1c11938a36e1b
                                                                • Instruction ID: 4a7657b60dcf6729ce62f26631186bbe4d742161a17d6c447d149afc6bb1bcbf
                                                                • Opcode Fuzzy Hash: 6840c7b78c91cc49818bcc54ba458770c795cccbbb4a63c346a1c11938a36e1b
                                                                • Instruction Fuzzy Hash: 43F06271B4565C96EB34C941DD46FECB364FB41705F2881D9E609A95C0E7B01A809B81
                                                                Function 3BEBA0AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 4797f77d120bcea430a4ea180c78827df8a4a51a82db65e2143518f6d2acc2a5
                                                                • Instruction ID: 23bba6e35871c84b725ad3d7857fa60d0d1a9c9a98ef8053f2b792cb68379709
                                                                • Opcode Fuzzy Hash: 4797f77d120bcea430a4ea180c78827df8a4a51a82db65e2143518f6d2acc2a5
                                                                • Instruction Fuzzy Hash: BCF03CB5814318AEEF29CF18CC44AFA7B78EF40701F40A1DAA98A65540DE755F85CF12
                                                                Function 3BEB8D36 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: eea14d86ca8880136b55622ad33732fe315635168edc1a1ba26f3762c0602ce5
                                                                • Instruction ID: 1800ff0ceb93f86a16d5a3a1738e352ad388bb80bd430819feca994ead1a5723
                                                                • Opcode Fuzzy Hash: eea14d86ca8880136b55622ad33732fe315635168edc1a1ba26f3762c0602ce5
                                                                • Instruction Fuzzy Hash: CEF0AFE1808348AEEF54CB24DC44BAA3E64EF50B00F40A19AD58914481EE744AC5CE23
                                                                Function 008EA0AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 008EA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 4797f77d120bcea430a4ea180c78827df8a4a51a82db65e2143518f6d2acc2a5
                                                                • Instruction ID: d60796f0bf8cb1517aeaacc1c18164e893a88a57374b95f1d47834bf5786d567
                                                                • Opcode Fuzzy Hash: 4797f77d120bcea430a4ea180c78827df8a4a51a82db65e2143518f6d2acc2a5
                                                                • Instruction Fuzzy Hash: 3EF0AFB5800258EED72C8A15CC44BFA7774FF41B00F0091DAA48B91540D6716FC4DF13
                                                                Function 3BEB9BA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 0da8e396d210691994c2e90656efe39bcbe6442fd234bd89f04e4363b2550418
                                                                • Instruction ID: b8810f29cf0d7157060cc10a395f61ccc2a6522cd1a5841d01b6221bda0d40a0
                                                                • Opcode Fuzzy Hash: 0da8e396d210691994c2e90656efe39bcbe6442fd234bd89f04e4363b2550418
                                                                • Instruction Fuzzy Hash: 48F04FF5D14318AEEF25CB14CC44AEABAB4EF84700F40A2AAA98965540EA755F85CE12
                                                                Function 0089B8E9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?), ref: 0089BE3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateProcess
                                                                • String ID: jjjj
                                                                • API String ID: 963392458-48926182
                                                                • Opcode ID: 779d8010a804dd515a025a59d640c0ab89725a1a6ec7f095d3abcb0305f164e7
                                                                • Instruction ID: 6d7a9e260cf7bc12c33183dcb0af99ecc642ca4cdc479b35b9b4796c7a527c8d
                                                                • Opcode Fuzzy Hash: 779d8010a804dd515a025a59d640c0ab89725a1a6ec7f095d3abcb0305f164e7
                                                                • Instruction Fuzzy Hash: B7F04470B4421D9ADF34CA40CC41FEDB774FB44701F2441D9EA09A6580D7715F409F94
                                                                Function 3BEBA0B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: ee6cdc6fa1045018a9f7885b9809f726e9f942854c9b775476831f21130f4635
                                                                • Instruction ID: dfac78bf89a150c9129d2feff3881352d7109a0a4cfaa18bc6707abfd57f089b
                                                                • Opcode Fuzzy Hash: ee6cdc6fa1045018a9f7885b9809f726e9f942854c9b775476831f21130f4635
                                                                • Instruction Fuzzy Hash: 6BF049F581431CAEEF25CB18CC40AFABAB8EF40701F40A2DAA48961540DA755F80CE12
                                                                Function 008EA0B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 008EA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: ee6cdc6fa1045018a9f7885b9809f726e9f942854c9b775476831f21130f4635
                                                                • Instruction ID: e980ab7a6d1de67ff4feabf3317f57c2d632b803f9dc92e52b68db436d81a907
                                                                • Opcode Fuzzy Hash: ee6cdc6fa1045018a9f7885b9809f726e9f942854c9b775476831f21130f4635
                                                                • Instruction Fuzzy Hash: E3F06DB5C10258AEE7298A15CC44AFAB678FF41B01F4092DAA48AA1540E6756FC4CF12
                                                                Function 3BEB9BD2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: d99a864e144566c439742d7ac9f73c60f77b21b85667bbf3f7e558ad0b62cdc7
                                                                • Instruction ID: 67b5797c7db6363d00f0f14ba34d8c1f85f957dec82e5edf8b84223dd5f90685
                                                                • Opcode Fuzzy Hash: d99a864e144566c439742d7ac9f73c60f77b21b85667bbf3f7e558ad0b62cdc7
                                                                • Instruction Fuzzy Hash: 20F01DF591431CAEEF25CB14CC44BFABAB8EF44700F40A2DAA58965540DA755F85CF12
                                                                Function 3BEB95C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 665f146a684a2591f8f3a9a9f039a0c2e2d969dd48a818ec78092ec9fedefca4
                                                                • Instruction ID: 068737e0b24e00ff50907a552ebe3528a0b6e08fa0b7c6c0b4d933f20b86748c
                                                                • Opcode Fuzzy Hash: 665f146a684a2591f8f3a9a9f039a0c2e2d969dd48a818ec78092ec9fedefca4
                                                                • Instruction Fuzzy Hash: 75F082F5904318ADFF14CB14DD04BFE7A74DF40700F40A2AAE189144809A745FC5CE13
                                                                Function 3BEB8D4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,000F003F,?), ref: 3BEBA0FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID: Qh?
                                                                • API String ID: 71445658-2306691335
                                                                • Opcode ID: 805d408ccdf3c82228bd8776d5eddff33284df6a6d235308b070bd827510ef29
                                                                • Instruction ID: 31d59b04086d972770f867ea0dfe582b24493c3882c145c1628fde32753515de
                                                                • Opcode Fuzzy Hash: 805d408ccdf3c82228bd8776d5eddff33284df6a6d235308b070bd827510ef29
                                                                • Instruction Fuzzy Hash: 77F082F5808318ADFF14CB14DC04BFA7A74DF40700F40A2AAE189144809E745FC5CE13
                                                                Function 3BEC5D53 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID: P@65
                                                                • API String ID: 2738559852-1165756456
                                                                • Opcode ID: b026a87512f5465d5cd140d5b333ca79d552e11c47dd94f92bf6601c36060fbe
                                                                • Instruction ID: 6c2c196a23940e26bb4818d726ba06b07e22efbe2198182507d8eede84fcfeb6
                                                                • Opcode Fuzzy Hash: b026a87512f5465d5cd140d5b333ca79d552e11c47dd94f92bf6601c36060fbe
                                                                • Instruction Fuzzy Hash: 10F08275D457298BE724CE04DD84BDFF3B5AB88745F0081E9E80DA7200DA715ED08F81
                                                                Function 3BEC5267 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID: 8G2D
                                                                • API String ID: 2738559852-4258219503
                                                                • Opcode ID: 49260080b530d25edf066e949fa31f889f055353704453b1a5575e106d6df536
                                                                • Instruction ID: c61ebb63efe67b0ebf37b80bf8ee6bfd7bce813901015f351dc1e34a076476ec
                                                                • Opcode Fuzzy Hash: 49260080b530d25edf066e949fa31f889f055353704453b1a5575e106d6df536
                                                                • Instruction Fuzzy Hash: C8E01A71A453189BF720CE48CD85BDFB7F9BB88B09F1082D9E50CE6140EA319A908B91
                                                                Function 00546880 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 90memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: @7@:
                                                                • API String ID: 4275171209-2902581891
                                                                • Opcode ID: a281decdbc1ef60d1bcf704059be086208a4271f60b5a3f17bb634401339e879
                                                                • Instruction ID: e63054a0582db16fa87fae7b91436714afcc4da6379ac6ae1e97b401ac532b56
                                                                • Opcode Fuzzy Hash: a281decdbc1ef60d1bcf704059be086208a4271f60b5a3f17bb634401339e879
                                                                • Instruction Fuzzy Hash: 3A31EFB1D051649FE710CA10CC84BEA7BB5FFC2309F14C4FAD8496B285D6395E868FA2
                                                                Function 00895642 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: M3HI
                                                                • API String ID: 4275171209-1505179660
                                                                • Opcode ID: aaeb17e6b2f8533bad25e1fce4f4af2e064babcdd19e3efd74f6016498aec9bf
                                                                • Instruction ID: 165706c35231a5df39d44a46b3afebeb9d1eabb429148859e1a596e8871d9dd3
                                                                • Opcode Fuzzy Hash: aaeb17e6b2f8533bad25e1fce4f4af2e064babcdd19e3efd74f6016498aec9bf
                                                                • Instruction Fuzzy Hash: C231E2B19005199EEF25AA10CC587EAB775FB81319F2840EED10ED6181E7B80ED5CF12
                                                                Function 0089565F Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: 5IDD
                                                                • API String ID: 4275171209-2086563400
                                                                • Opcode ID: 3913714fbfc300ba91229a2dcbf09d1c8f0ac023df71876ab593a30ab23e52a1
                                                                • Instruction ID: 8f35bc0b4c53da8d2f865ae00d96e482a61643248ff94498fd2e6b3350fd482a
                                                                • Opcode Fuzzy Hash: 3913714fbfc300ba91229a2dcbf09d1c8f0ac023df71876ab593a30ab23e52a1
                                                                • Instruction Fuzzy Hash: 9331E3709046599FEF35AA50CC587EA77B5FB41319F2800EAD00AD5181E7B80ED5CF12
                                                                Function 00896642 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: P?O6
                                                                • API String ID: 4275171209-2099622976
                                                                • Opcode ID: 4520258b1aab29a83e53f34ae7dc110cfa6dc16e8f2a8f4730fa3cf27b6a972c
                                                                • Instruction ID: 683671c1d9b6387accb5d1db426b3eadd398e65ec3283d2ad1bb9650b267b562
                                                                • Opcode Fuzzy Hash: 4520258b1aab29a83e53f34ae7dc110cfa6dc16e8f2a8f4730fa3cf27b6a972c
                                                                • Instruction Fuzzy Hash: F72171B0A045699FEF31AA14DC48BEAB7B5FB81319F2841E9D40DE6180E7790ED5CF11
                                                                Function 00896594 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: EM6^
                                                                • API String ID: 4275171209-4026762246
                                                                • Opcode ID: 5aee7129e3d90f36188c5794b13980fc991cc71b331e445d9f66b058ad28cb14
                                                                • Instruction ID: 110a33d859433cbdb1d7ccf339d258665ec9186e7ef4e5839ef6af0e4877dc81
                                                                • Opcode Fuzzy Hash: 5aee7129e3d90f36188c5794b13980fc991cc71b331e445d9f66b058ad28cb14
                                                                • Instruction Fuzzy Hash: C7214CB09045299FEF24AA14DC58BEAB7B5FB41319F2801E9D00AE6181E7B91ED4CF11
                                                                Function 3BEC56F7 Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 154bbdbe0896aa84e98682a674c764b959cd4845bf8c97da833bee5e2ea63196
                                                                • Instruction ID: 89fce2adea4d8279b376a99715dccd6d432012ffd30b05b5e281b5103856cff3
                                                                • Opcode Fuzzy Hash: 154bbdbe0896aa84e98682a674c764b959cd4845bf8c97da833bee5e2ea63196
                                                                • Instruction Fuzzy Hash: 738109F2D102155FF7148A14DD85BFB77B9EB80314F1482BAD90D96280E67C5EC18F92
                                                                Function 00548A06 Relevance: 1.7, APIs: 1, Instructions: 229memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: f06cffc4548ebeebeaecc282717a4f9b24fd6150206d6321807e80ff7e0921b9
                                                                • Instruction ID: 2673e868d8cdbc85732c8f6cc1dd295b3cb9aa0c56c91ab49c4fd11079968a5a
                                                                • Opcode Fuzzy Hash: f06cffc4548ebeebeaecc282717a4f9b24fd6150206d6321807e80ff7e0921b9
                                                                • Instruction Fuzzy Hash: D47136F2D041689FE714CA14DC94AFF7B79FB81318F1881FAD94A57680DA385E818F92
                                                                Function 3BEBEFC7 Relevance: 1.7, APIs: 1, Instructions: 227fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 448fbc7bbbf37520996c4ac79a6ae751dab3c0a66d0d8c7d2c3b77ced75d1009
                                                                • Instruction ID: 13ae408fd5bc32e619acc32e6ccf4bae4b30155d03ea5f2ed22394c6f89454e7
                                                                • Opcode Fuzzy Hash: 448fbc7bbbf37520996c4ac79a6ae751dab3c0a66d0d8c7d2c3b77ced75d1009
                                                                • Instruction Fuzzy Hash: DD8125B6D042249FFB24CB18DC95BEBB779EB84318F1481F9E90D57281D6385EC28E91
                                                                Function 0054122C Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 66db2fd7d8560504131b1210d7cf6d2f26c934d3399b2fe85552ebff63edb38a
                                                                • Instruction ID: bbf921ee582a9f2d0934f6865c60331b9a537dae2e7e8efd853446c97c3e2dea
                                                                • Opcode Fuzzy Hash: 66db2fd7d8560504131b1210d7cf6d2f26c934d3399b2fe85552ebff63edb38a
                                                                • Instruction Fuzzy Hash: 3781C471D046188BEB24CB24CD94BEEBF75FB41315F1482A9D80DA7644C638ABC1CF55
                                                                Function 3BEC54A5 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 6dc36f09f61b9b0e4138b36efc47e182a1d24234fb390bcbf9444894c8b14a23
                                                                • Instruction ID: b4bb4b42583b6c9792f3a3304de5728bd421d3a925b61416a75a06feaf3a0c2a
                                                                • Opcode Fuzzy Hash: 6dc36f09f61b9b0e4138b36efc47e182a1d24234fb390bcbf9444894c8b14a23
                                                                • Instruction Fuzzy Hash: 266109F2D102195AF7248A18DD45BFB76B9EBC0314F0482BAD90D96680EA7C5FC1CF92
                                                                Function 00547662 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 432bcbe4fcfccd2a9311ffc963c6e47ba841499f3f533c5a611c04326f29994f
                                                                • Instruction ID: 043a8f891fe602f778c2043d8da32fd8cad315076a950ba7974103348e4fa192
                                                                • Opcode Fuzzy Hash: 432bcbe4fcfccd2a9311ffc963c6e47ba841499f3f533c5a611c04326f29994f
                                                                • Instruction Fuzzy Hash: A76115B2D086189EE720CA25DC98BFABB75FF94314F1480BED90D56681E6781EC5CF01
                                                                Function 3BEBFA44 Relevance: 1.7, APIs: 1, Instructions: 174fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 0207e1c8ba9895d34605f527f1132f0ae60f947e87d2d8b5e7840e1a364c8902
                                                                • Instruction ID: f8305a0a317c7926a950771f3ae16bb063bd774c6d8a0c639c81ef474497c207
                                                                • Opcode Fuzzy Hash: 0207e1c8ba9895d34605f527f1132f0ae60f947e87d2d8b5e7840e1a364c8902
                                                                • Instruction Fuzzy Hash: 9D5146F2E042159FF714CA18DC95BEBB778EB91315F1042BAD90D67680D6785EC18E82
                                                                Function 00547692 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: a0fe7db5d87114f430d5ea95307ef949ef19ab00eb2ee6e52caa221928509414
                                                                • Instruction ID: 940b31fc76206a56ddd94d798b995246e57576849bc5daa2f673020583b054b1
                                                                • Opcode Fuzzy Hash: a0fe7db5d87114f430d5ea95307ef949ef19ab00eb2ee6e52caa221928509414
                                                                • Instruction Fuzzy Hash: 3D5126B2D186599EE7208A29DC887FEBB75FF94318F1440BAD50D66681E6781EC1CF01
                                                                Function 3BEB789F Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: c17c141243d89632c5bca43b2e2e20771c91457c21adc2697668b466b66bb401
                                                                • Instruction ID: 62912dd39462c0eb0592d4c722d3d74cfd29cfceb8e9bae7a2abc2c540922965
                                                                • Opcode Fuzzy Hash: c17c141243d89632c5bca43b2e2e20771c91457c21adc2697668b466b66bb401
                                                                • Instruction Fuzzy Hash: 0F51BFF1C042599FEB14CB14CC91BEA7778EB44310F1881FADA0DA6741D678AFD68EA1
                                                                Function 008E789F Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 008E7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: c17c141243d89632c5bca43b2e2e20771c91457c21adc2697668b466b66bb401
                                                                • Instruction ID: f2f743ac57ef3643a17245feaf858e74055858870c713f9a2bcfb941e72f7852
                                                                • Opcode Fuzzy Hash: c17c141243d89632c5bca43b2e2e20771c91457c21adc2697668b466b66bb401
                                                                • Instruction Fuzzy Hash: 7251BFF1C042689FE714CB04CC91BFA7778FB45304F1881FADA0AA6242D6789FC68E51
                                                                Function 3BEB648F Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 22943def984b4749cdea510464161d28ad266ab27ff147a3e70ae6b860567494
                                                                • Instruction ID: 81c42a6eaa7349d4e4273811e4c21b728476dcedd32fbc5ea691ca2d79bb3630
                                                                • Opcode Fuzzy Hash: 22943def984b4749cdea510464161d28ad266ab27ff147a3e70ae6b860567494
                                                                • Instruction Fuzzy Hash: 4F5157F2C19264AFFB148B24DC95BE6BB78EB84314F0440FED94E56681DA3C5EC18E52
                                                                Function 3BEB7763 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: de270df7bd2d4b369acf6de477585933080516950fd91f9b6f0367c404a6f921
                                                                • Instruction ID: 83ad544c01c27f8cfe4200b0cdc6e56ac23a56ea7553564a0ad4ad93aee20ad7
                                                                • Opcode Fuzzy Hash: de270df7bd2d4b369acf6de477585933080516950fd91f9b6f0367c404a6f921
                                                                • Instruction Fuzzy Hash: 7F51C5F1C052659FEB20CB18DC91AEA7B68EB44314F0481FAD84DA6741DA385EC5CF92
                                                                Function 3BEB762F Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 79ddfe5d1ae99cb9a9be34841f77cf07603370bf85bf465d4c0631434ca4da30
                                                                • Instruction ID: 66199694955fc5adace489389d98ca16f4cec4cadf2fefb3cdc979795f692fb2
                                                                • Opcode Fuzzy Hash: 79ddfe5d1ae99cb9a9be34841f77cf07603370bf85bf465d4c0631434ca4da30
                                                                • Instruction Fuzzy Hash: 714129F2C092685FEB20CB58DC91BDB7B74DF41314F0541BAD98C66641E6385EC68A92
                                                                Function 3BEC562A Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: c3c8ab112b453ecbf5ea80bbcc2006df0fe61ad9ea1939e6f0a169d5a99f2cce
                                                                • Instruction ID: 2d03abd3aa1ec70b007c8f7e73f93ef6d05e13f67ff571165800b6adabf6a3aa
                                                                • Opcode Fuzzy Hash: c3c8ab112b453ecbf5ea80bbcc2006df0fe61ad9ea1939e6f0a169d5a99f2cce
                                                                • Instruction Fuzzy Hash: F4410BF2D143159FF3208914DD89BEB76B9E781724F1482FADD0C56280DA794EC1CA92
                                                                Function 3BEC55A7 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 0260ac7a12b8da3f03b3ea55001efad2f778feba14eb989b932dcc9031ed6b0f
                                                                • Instruction ID: fd9152a6ede2524db62f13a4461569fec892c2ef504545165d339c1b13ec05a9
                                                                • Opcode Fuzzy Hash: 0260ac7a12b8da3f03b3ea55001efad2f778feba14eb989b932dcc9031ed6b0f
                                                                • Instruction Fuzzy Hash: F7412DF3D143159FF3248A19DD89BEB76B9EB80714F0441BADD0D56280E67D4EC1CA92
                                                                Function 3BEB72A2 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49cf5d8e988ad70f2551776466fedb5aaa04893754d50f5256e89e92a64829e0
                                                                • Instruction ID: fc0e32942d9df353ba019ae86e3c35e05334623341c2790343ac74bd99cb8b06
                                                                • Opcode Fuzzy Hash: 49cf5d8e988ad70f2551776466fedb5aaa04893754d50f5256e89e92a64829e0
                                                                • Instruction Fuzzy Hash: A74119F2C093685FFB20CB58DC84ADB7B78DB42704F0541BAD98C66B41D5384EC6CA92
                                                                Function 00541112 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: eab8fc66906546019ae276725d91048389f8147c6f1130660f6595b0227e8ea9
                                                                • Instruction ID: 779d507799ec980ca8df1e6e6593a8c48cba0da00ee3335ee99d3b7f2f7dd561
                                                                • Opcode Fuzzy Hash: eab8fc66906546019ae276725d91048389f8147c6f1130660f6595b0227e8ea9
                                                                • Instruction Fuzzy Hash: DC51AE71A046288BDB28CF28CD88BEABB75FB85304F1081EAD50E66644C634AEC1CF45
                                                                Function 3BEB759C Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8f8330ff5f79ff84ff696969fa5b217d43685b9c9ccd7b2dd62515f2e38bf2e
                                                                • Instruction ID: 9462e69b4cfe799c1f484d5aee9045b571d4fd55884090f60cb9281716a5d8ee
                                                                • Opcode Fuzzy Hash: c8f8330ff5f79ff84ff696969fa5b217d43685b9c9ccd7b2dd62515f2e38bf2e
                                                                • Instruction Fuzzy Hash: 4C41E7F1C093689FEB20CB58DC50AEA7B749F45715F0541FAD88C66741DA388EC5CB92
                                                                Function 3BEBEF1D Relevance: 1.6, APIs: 1, Instructions: 122fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: ed6f68940b5903b9a17427009fd8e135ecbdf3ca8486a0b2450f2564fbc617c9
                                                                • Instruction ID: 1d2e3f7d3c0046845e6d2d96e0649de3158b4ac47dbe0b90b86cfa893ba123ca
                                                                • Opcode Fuzzy Hash: ed6f68940b5903b9a17427009fd8e135ecbdf3ca8486a0b2450f2564fbc617c9
                                                                • Instruction Fuzzy Hash: C14180F2D053155BF7288628DCC9FEB7728E740729F0442BAE90DA51C0DA7D4BD18E92
                                                                Function 3BEC5643 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 166d84b7039606cce79c7a785697705e7764e9df5fc9b977d17da093553ccfad
                                                                • Instruction ID: 8cf818b2ba2a80b6e853cdf9e171dd1e48ccd07db704b95c9909f07e0bbafb65
                                                                • Opcode Fuzzy Hash: 166d84b7039606cce79c7a785697705e7764e9df5fc9b977d17da093553ccfad
                                                                • Instruction Fuzzy Hash: 9D410AF2D143159BF3208A18DD89BEB76B9EB81714F1482FAD90C56280DB7D4EC1CA92
                                                                Function 0054754B Relevance: 1.6, APIs: 1, Instructions: 120memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: e93e8602b9d09eaa24bc998d90b8564e186b2126cf0e9b0d75df7acd9a3c97a4
                                                                • Instruction ID: ce935d3db3fd4be4e30b39b29a5cf97aac9d054caf5ccae7a2358adf1bf47d19
                                                                • Opcode Fuzzy Hash: e93e8602b9d09eaa24bc998d90b8564e186b2126cf0e9b0d75df7acd9a3c97a4
                                                                • Instruction Fuzzy Hash: 8F4168B3E056989FF7208615DCC4BEB7B69FBD1318F2940BAD88D16180D63C4EC18B91
                                                                Function 3BEB66B8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 46cf632d203e8cd23bf5353f2c7e549a20bad2b8bcf745159d0d7278d5142f2b
                                                                • Instruction ID: 628b955bc9c09cbf67bee9d1d00ca3f893cf45c8c9874cea25f3e6a9c2442861
                                                                • Opcode Fuzzy Hash: 46cf632d203e8cd23bf5353f2c7e549a20bad2b8bcf745159d0d7278d5142f2b
                                                                • Instruction Fuzzy Hash: E241E5A5D1D3A89EEF24CB28DC447EABB74EF85714F1081EAD44D96255DA380EC1CF12
                                                                Function 00541BC3 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 01532963112f6c93a6a1e5fdb1873c5799f3ea1270b26c7ceb75a75b5b850c11
                                                                • Instruction ID: 021ec91b8e707c063ea25e8237fa53170177e776866b31daf990ec7e9014642e
                                                                • Opcode Fuzzy Hash: 01532963112f6c93a6a1e5fdb1873c5799f3ea1270b26c7ceb75a75b5b850c11
                                                                • Instruction Fuzzy Hash: 76514A72E015288BDB24CB28CD98BE9BBB5FB94305F1082E9D80DA7645C634AFC5CF45
                                                                Function 3BEB72D7 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: dd41ca2f4b0c7fb0e83873a318c7f655133dce68a4cbe7d849ed1deaffeabdd9
                                                                • Instruction ID: f24f9b06d42ef5c2745f61ca54362b67d282eda5066b4e66a7a3575761999938
                                                                • Opcode Fuzzy Hash: dd41ca2f4b0c7fb0e83873a318c7f655133dce68a4cbe7d849ed1deaffeabdd9
                                                                • Instruction Fuzzy Hash: 66411AF2C093A45FEB20CB58DC84ADB7B789F46704F0541FAD98C66B41D5384EC6CAA2
                                                                Function 3BEB7D96 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000,3BEB7703,3BEB73C3,?,?,?,?,?,?,?,?), ref: 3BEB7E45
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 48de234e33b9d92d7dafd543fd4b5963a1eb4849d3d4b5e927810c831e4933f3
                                                                • Instruction ID: 0bf13ae9a81ad42e486b522962ae177a4aa41465814a5931697483dd793451b8
                                                                • Opcode Fuzzy Hash: 48de234e33b9d92d7dafd543fd4b5963a1eb4849d3d4b5e927810c831e4933f3
                                                                • Instruction Fuzzy Hash: 534168B19046198FEB24CF28DC80AAAB776FF84711F1041EBD80DA6740EA399ED5CF51
                                                                Function 3BEB72EE Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 48994c0321cd5804a90462c7d819d8a8dc31c4c24744caf832e09ce566417afd
                                                                • Instruction ID: b1a11e00796aa8f729d74cefcb59c4c169c40efca77e81e46bb064207e34ff2a
                                                                • Opcode Fuzzy Hash: 48994c0321cd5804a90462c7d819d8a8dc31c4c24744caf832e09ce566417afd
                                                                • Instruction Fuzzy Hash: 093126F2C093A45FEB20CB58DC80ADB7B749F42314F0541FAD98CA6A41D9348EC5CAA2
                                                                Function 3BEBB229 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: dee5b51a8d31946304e9e6745785cb10370e8c9180f4a4ea5b6ce47603d406e4
                                                                • Instruction ID: 4e443b1a832d95d2ca286e224f7f4cc7152d02e383eaebfcb5c74ae20ba2895c
                                                                • Opcode Fuzzy Hash: dee5b51a8d31946304e9e6745785cb10370e8c9180f4a4ea5b6ce47603d406e4
                                                                • Instruction Fuzzy Hash: 9E3105F3D143159FF3208A18DD89BEB7AB9EB81314F0542FADD0C56680D67D5EC18A92
                                                                Function 3BEB75F0 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 7efe0de4004fca09eb8b8350133f6cdb31ad9e63baeda4bf5f5d8b84aeed2d14
                                                                • Instruction ID: 49b29cc097f0ed53c9eea5ac5c545b2238839a675e43e5feb53191fea4991298
                                                                • Opcode Fuzzy Hash: 7efe0de4004fca09eb8b8350133f6cdb31ad9e63baeda4bf5f5d8b84aeed2d14
                                                                • Instruction Fuzzy Hash: 7C41E7F2C093649FEB20DB58DC506DA7B749F46704F0541FAD98C66B41D9344EC6CB92
                                                                Function 3BEC5376 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 9c717ff99189620bb0d91669373df7311c01e3f2672d85510bc23e749a0a9f0a
                                                                • Instruction ID: 1ac93003d1c117a798e1d97112092fb8827d9f07e7d96211aa3ec562693ffa01
                                                                • Opcode Fuzzy Hash: 9c717ff99189620bb0d91669373df7311c01e3f2672d85510bc23e749a0a9f0a
                                                                • Instruction Fuzzy Hash: 1A3106F3D542149BF3208918DD89FEB7AB9EBD1314F0541BAED0C56280E67D5EC18A92
                                                                Function 3BEC541A Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 91b7f0cfd6e6778632c4a0493640f2beb1c912ab51a16ca792ee3e91e636a1a5
                                                                • Instruction ID: 12a4448b2adb9bd5fa151779e0b9f4c7276f64dfeceea8f3ab6687fc689f669f
                                                                • Opcode Fuzzy Hash: 91b7f0cfd6e6778632c4a0493640f2beb1c912ab51a16ca792ee3e91e636a1a5
                                                                • Instruction Fuzzy Hash: 513136F3D042149FF3208A18DD89BEB7BB9EB81314F0441FADD0D56280DA7D5EC28A92
                                                                Function 3BEC568A Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: b33ad60a93b8723726970dab594f64571a80319b5be96778bb49e798b31c4eae
                                                                • Instruction ID: 6044ab0b1a33da419adfdaa1d12b104dd3fef7acea3c292eaaaade03460a1b97
                                                                • Opcode Fuzzy Hash: b33ad60a93b8723726970dab594f64571a80319b5be96778bb49e798b31c4eae
                                                                • Instruction Fuzzy Hash: F53144F3D442159FF3108A18DC89BEB7BB8EB81314F0442FADD0C56280D6794EC18A92
                                                                Function 3BEC5414 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 7cbf9ed9b0556598971011baa83853088ff4d02bf17136a49f052051870be3ee
                                                                • Instruction ID: fdd9ca55525bc0b7ff196258a57a98a3d17a3810111d1de3cb325f9efe01eda7
                                                                • Opcode Fuzzy Hash: 7cbf9ed9b0556598971011baa83853088ff4d02bf17136a49f052051870be3ee
                                                                • Instruction Fuzzy Hash: 533106F3D043149FF3108918DD89BEB76B9EB81714F0441BADD0D56280EA795EC18A92
                                                                Function 005413D8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: e57f17bca775a4cba941344dff07329e8cebe9a660e70891345fe5ee7f9a3899
                                                                • Instruction ID: 77bb47a0b3041d37c323ba8a946fb85113c76ba581f8ad9308884aee96c87735
                                                                • Opcode Fuzzy Hash: e57f17bca775a4cba941344dff07329e8cebe9a660e70891345fe5ee7f9a3899
                                                                • Instruction Fuzzy Hash: 3B414E71D046288BDB24CF28CD98BEABB79FB54344F1081EAD40E66684D6346FC5CF56
                                                                Function 3BEB6701 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 43c0c8d59aa039e76fae9f4bbede326c151c74e910c835137f34a6c3b022f26b
                                                                • Instruction ID: d5bc930a4a57f7fd6a98c9a487f6c820eb6248e78b767ab6947dc250f1b1e089
                                                                • Opcode Fuzzy Hash: 43c0c8d59aa039e76fae9f4bbede326c151c74e910c835137f34a6c3b022f26b
                                                                • Instruction Fuzzy Hash: 9C31F3A1D1D3A89EFF20CB68DC447EABB74EB84710F1081EAD44D56195EA380AC5CF12
                                                                Function 00548C09 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 7a055f59dd572563da4cfee343eec35629aa6c6565f17d40d66f0e251b5aed5d
                                                                • Instruction ID: b22fa4607739fbffc3bc056fce19bcda5330741559967292fb40e7f8dd78db90
                                                                • Opcode Fuzzy Hash: 7a055f59dd572563da4cfee343eec35629aa6c6565f17d40d66f0e251b5aed5d
                                                                • Instruction Fuzzy Hash: 0A3176B1D052549EFB108A20CCD97FF7AB9FBC1305F2881FAD60A5A584DE384EC28A11
                                                                Function 3BEC4570 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 792918b68ad0570aed088b55ae9a05dcb16dc928289881c4a1fd5555ea45542d
                                                                • Instruction ID: d6b2c699900a76b3e23f08b8e3a130ee686fac8c4cb10f99ea0cd312c41d7555
                                                                • Opcode Fuzzy Hash: 792918b68ad0570aed088b55ae9a05dcb16dc928289881c4a1fd5555ea45542d
                                                                • Instruction Fuzzy Hash: 0431F6F2C002149BF3148519DC45BEB7678EB84715F0481BAE90D56684EA7D5ED18A92
                                                                Function 00541E9B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 8e9242e715e0327d3a372392b7648ff72f67b6afd57d499904267497e88c3b3c
                                                                • Instruction ID: 83a19b0e2393c7889e0687035f498ac3aec3b9b2254b6605b5b8db3569ca6f81
                                                                • Opcode Fuzzy Hash: 8e9242e715e0327d3a372392b7648ff72f67b6afd57d499904267497e88c3b3c
                                                                • Instruction Fuzzy Hash: 0C418B71915A588FCB29CB24CD947EABFB9FB80345F1081EED80DAA245D7346AC6CF04
                                                                Function 005477E9 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 3d5cd673fe1ac5b16fc193afb21d8813b415ec79c06e9627c6725af9fe42573a
                                                                • Instruction ID: 2b59b97096271c9cb8a716df5703201786a864b496eb3c14ba975d341e4dffbd
                                                                • Opcode Fuzzy Hash: 3d5cd673fe1ac5b16fc193afb21d8813b415ec79c06e9627c6725af9fe42573a
                                                                • Instruction Fuzzy Hash: DC3108B2D0921DDEFB248A65DC887FFBA74FB94318F1440BBD50A66680E7780EC0DA11
                                                                Function 3BEB76DF Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 23c7471dde136f9756eb8fcf5e87ffcf6a2163e7c5bc3c4fe6d2e3ae23ac423e
                                                                • Instruction ID: c964936d330becc2cc69c383c6a200382053f97a98b68dcb21edc71f9855ba82
                                                                • Opcode Fuzzy Hash: 23c7471dde136f9756eb8fcf5e87ffcf6a2163e7c5bc3c4fe6d2e3ae23ac423e
                                                                • Instruction Fuzzy Hash: 0831E7F1C093A85FEB20DB58DC80ADA7B749F45704F0581FAD98C66745DA344EC6CB92
                                                                Function 3BEBEEA8 Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 16cc02e03bacd042b0960f71c8c26008a750402e3b2476e7af989659fe7f606e
                                                                • Instruction ID: 66c63dad571616e44e6f6618c24cfd4c0a533a25f1b3aad921fc30725a8aff02
                                                                • Opcode Fuzzy Hash: 16cc02e03bacd042b0960f71c8c26008a750402e3b2476e7af989659fe7f606e
                                                                • Instruction Fuzzy Hash: B8210CB2D443246AF7288614DC95BE77768E744728F1442BAE50E251C0EE7D5BD18D82
                                                                Function 00541B1B Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 3295b77c102e5479a205250b9385847f25fa995a10d7d466d9be68d33d5e37ee
                                                                • Instruction ID: 50dfcfc905e5a78e2708e0088d2543a85495eef5ef2a4e8618c250b7029086d5
                                                                • Opcode Fuzzy Hash: 3295b77c102e5479a205250b9385847f25fa995a10d7d466d9be68d33d5e37ee
                                                                • Instruction Fuzzy Hash: 00318DB2D116248BE728CB14CD95BEABBB9FB90301F14C1EAD40D6A684D634AFC5CF41
                                                                Function 3BEBF3C3 Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 88a8fdf1158f9b6ef6308e2631de6be0c7a09fbfb5a741af9c738e36ac2f5a93
                                                                • Instruction ID: 5799e9d9f1cd245e6ade3160626568e5cfabe39d6cbb27b1c86e2b9a9ed2b826
                                                                • Opcode Fuzzy Hash: 88a8fdf1158f9b6ef6308e2631de6be0c7a09fbfb5a741af9c738e36ac2f5a93
                                                                • Instruction Fuzzy Hash: E2213BB2D04324ABF7288614DC95BEBB768E744724F1442FEF50E661C0EE781BD18E82
                                                                Function 00540F37 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 419ba04ed0065d64b02fbc22af5ffb7f69c5872622f70732a00a2d4c97e46059
                                                                • Instruction ID: 43ba64220a5e7d4a74e24de11ba85edbd874d1409af0dcccf03266fb27887a63
                                                                • Opcode Fuzzy Hash: 419ba04ed0065d64b02fbc22af5ffb7f69c5872622f70732a00a2d4c97e46059
                                                                • Instruction Fuzzy Hash: 3E315E729057188BDB28CF28CD94BE9FB79FB54345F1081EA980EA6644D634AFC4CF46
                                                                Function 00540FF5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 293e5aac52db295fbc69209f7d8fbe0757cb4bc1509d3be12168b1c1035ebe18
                                                                • Instruction ID: 547859ae92dd60aa9260141a7204dd7f75237448dce3ff50264829e9f5bed53d
                                                                • Opcode Fuzzy Hash: 293e5aac52db295fbc69209f7d8fbe0757cb4bc1509d3be12168b1c1035ebe18
                                                                • Instruction Fuzzy Hash: 1D314F71D046288BDB24CE28CD84BE9BBB9FB54345F1081EA980DA6644D634AFC4CF55
                                                                Function 008ADA38 Relevance: 1.6, APIs: 1, Instructions: 81injectionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008AE04F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessWrite
                                                                • String ID:
                                                                • API String ID: 3559483778-0
                                                                • Opcode ID: ffccea0f8e69733767f0ed6fe3c5523e6445841803b7aa0af89f05133ee1c723
                                                                • Instruction ID: e18c220db9c45201e4f681371981bfb49bc46400edbc78866da837d176e7cd4f
                                                                • Opcode Fuzzy Hash: ffccea0f8e69733767f0ed6fe3c5523e6445841803b7aa0af89f05133ee1c723
                                                                • Instruction Fuzzy Hash: 2521D6B2E0916C9FE724CA15DC40AEBB7B9FB85314F1081EAD50ED7941E6342E82CE52
                                                                Function 00541EF9 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 828a1af6cd9bd161917df4452a965fc8fc13873e74504190283ac943f38f3123
                                                                • Instruction ID: c6165e997f2481f49cd0cf3cc1a041d5428464cb2b6b904b44da257cae0a8208
                                                                • Opcode Fuzzy Hash: 828a1af6cd9bd161917df4452a965fc8fc13873e74504190283ac943f38f3123
                                                                • Instruction Fuzzy Hash: 3C318D71D05A688BDB29CF24CD987E9BFB5BB54305F1082DED40EAA285D7306AC6CF04
                                                                Function 3BEB67DC Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 014142690a51cfb8258c38911791845c451d488647bb2735937fc00838c0971c
                                                                • Instruction ID: 63daa760c185d39baaabfa75d264170bcc8a642af7c9c10cacc09b6f23bb2032
                                                                • Opcode Fuzzy Hash: 014142690a51cfb8258c38911791845c451d488647bb2735937fc00838c0971c
                                                                • Instruction Fuzzy Hash: 4621F3B1D0A3599EFF248B68DC44BAABB74EB85720F1081FAD44D55586E9380BC68F12
                                                                Function 3BEBFECC Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: b0a4904acb5ebe495f3b9491dee742ed392bd6b4dd9fbffc607a4328077eb79d
                                                                • Instruction ID: 7619c1b474359aa83b3ec4cf96f8cc3a51d9f8568498716bf088963790abe91a
                                                                • Opcode Fuzzy Hash: b0a4904acb5ebe495f3b9491dee742ed392bd6b4dd9fbffc607a4328077eb79d
                                                                • Instruction Fuzzy Hash: 6F216AB1D4431A9EFB30C654ECD5BEBB7A4E701715F1083F9E959251C0CA780EC28E81
                                                                Function 3BEB6586 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 9a0c4664ee44f037e7e1ec4fb55dc2abc9cceb5c19d8b236ffe2716a0e969c31
                                                                • Instruction ID: 17b578e1904ea0276565ccba53c521231ef024a0dd56c4d0c3b2c35ebe087897
                                                                • Opcode Fuzzy Hash: 9a0c4664ee44f037e7e1ec4fb55dc2abc9cceb5c19d8b236ffe2716a0e969c31
                                                                • Instruction Fuzzy Hash: 8C2144B1C0D3949FEF148B64DC587A5BB78EB05314F1144DFC58E96182DA380AC1CF42
                                                                Function 3BEB770C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 772e49b6f2a94eac37bbc9b07aa8315b4ac42801ac8b29a76241099e30e1d045
                                                                • Instruction ID: aa10538b34c1c661492b83023c86958130e2b4def69998c03fed844d5a1250e3
                                                                • Opcode Fuzzy Hash: 772e49b6f2a94eac37bbc9b07aa8315b4ac42801ac8b29a76241099e30e1d045
                                                                • Instruction Fuzzy Hash: 6E21E5F1C093B89FEB20DB58CC806DA7B749F85704F1581FAD88C66655DA344EC6CB92
                                                                Function 00541F40 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: bc575ed9843f92030097b587413c541b4c0acbefa72511a3fc88b7fe0ad37e9b
                                                                • Instruction ID: 27083a1483f11fcb8210d3c26ac0a5184a0db1e5b29f0fbb95e92adc443113bd
                                                                • Opcode Fuzzy Hash: bc575ed9843f92030097b587413c541b4c0acbefa72511a3fc88b7fe0ad37e9b
                                                                • Instruction Fuzzy Hash: E8316B719146288BDB68CF24CD987E9BFB4FB50304F1082EE940EAA284D734ABC58F45
                                                                Function 3BEBF413 Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 82c49bd3fcc2810f4499da027e02ddd2662c198e14416363311eff8696f22350
                                                                • Instruction ID: 7d410e55ee81d2dcde368965270c23ff680fe3d7f6fe5128c1bb3cb82eb5e22c
                                                                • Opcode Fuzzy Hash: 82c49bd3fcc2810f4499da027e02ddd2662c198e14416363311eff8696f22350
                                                                • Instruction Fuzzy Hash: 47215CB2D043246BF7288614DC5AFEB7768E704728F0443BEF50E661C0EE780AD18E92
                                                                Function 3BEBFEE8 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 5bab3415f7013527199010557ae4539b1f906dab9df2abb5fa46f05cb91d432c
                                                                • Instruction ID: 016bce4ac4fa578a14deae7f3247ac99d7b664ac161ce9ec6da83ab3a9ce2669
                                                                • Opcode Fuzzy Hash: 5bab3415f7013527199010557ae4539b1f906dab9df2abb5fa46f05cb91d432c
                                                                • Instruction Fuzzy Hash: BF2138B0D4531A9EF730CA54DCD5BEBB7A4E701719F1082F5E959651C0DA790AC28F81
                                                                Function 3BEB7BE1 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: ce4c98e8994502494c2a81f2a59aaf112a9c61754689ede13511e47f3d563c5e
                                                                • Instruction ID: bc99a44f3740a9f96e91fbce6dd14f16b1df0214ba0401339380792135616efa
                                                                • Opcode Fuzzy Hash: ce4c98e8994502494c2a81f2a59aaf112a9c61754689ede13511e47f3d563c5e
                                                                • Instruction Fuzzy Hash: 4821D6B0C087989FEB21CB54CDC07D97BB4EB45314F1491DAC84D66646EA384FC58F42
                                                                Function 3BEB771B Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 082da9981b512a71b572943eea41a15821c00543735791e0b7aa44e5cd38dafc
                                                                • Instruction ID: 8594fb22ee07907451a5a8957f0716c98cf5beb5617c5139774aeac87726a3b1
                                                                • Opcode Fuzzy Hash: 082da9981b512a71b572943eea41a15821c00543735791e0b7aa44e5cd38dafc
                                                                • Instruction Fuzzy Hash: 9621B2F1C092B89FEB20DB58CC806DABB749F45301F1581FA998C66655DA344EC6CB91
                                                                Function 3BEBFF36 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 412b3a0c89312e6c4c8baab647f4918726c6888756c5ed7a4d3b7522a80c9b38
                                                                • Instruction ID: 8672c55fd8ad3f933a805138efb0800cd04cb1f396b8150669c0f7e1f3981843
                                                                • Opcode Fuzzy Hash: 412b3a0c89312e6c4c8baab647f4918726c6888756c5ed7a4d3b7522a80c9b38
                                                                • Instruction Fuzzy Hash: AB115EF1D44319AEF7244A14EDD5BE77768E700714F1042BDE909251C0DABD1ED14E81
                                                                Function 3BEB7C02 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 0537f6831ef87b25b34bd2163f3d0d3b27189272a3781a38149688f3a105cca3
                                                                • Instruction ID: dd63dd764533bcf79234e4b118d1b0ae8167590224fbc425c398a3123947cdd0
                                                                • Opcode Fuzzy Hash: 0537f6831ef87b25b34bd2163f3d0d3b27189272a3781a38149688f3a105cca3
                                                                • Instruction Fuzzy Hash: B421C2B0C097989FEB20CB54CD807E97BB4EB45305F1481EAD58965642DA384FC28F42
                                                                Function 3BEB77FA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 2cb3affc2ff4254fecea336572ba4f095d382ef30dcc22da5fe8a5b8d7b92f09
                                                                • Instruction ID: eb9dc73c3a5552127d9d16d3ddf9f4e05f60624c7dfc9ea487e32d43997fda5b
                                                                • Opcode Fuzzy Hash: 2cb3affc2ff4254fecea336572ba4f095d382ef30dcc22da5fe8a5b8d7b92f09
                                                                • Instruction Fuzzy Hash: 1021C9F1C057945FEB11CB24CC41AEA7B78EF45310F0441EAD58D56682D6344EC5CF51
                                                                Function 3BEB7738 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 8a3a25a25885ee490f4b3787fbbd16445d61efeef63b0ebf5783f7b653b1c234
                                                                • Instruction ID: 1e1295b674e33d716efe1ae6599dbfb0135586b9696c21dfdf9dd81b5cb58396
                                                                • Opcode Fuzzy Hash: 8a3a25a25885ee490f4b3787fbbd16445d61efeef63b0ebf5783f7b653b1c234
                                                                • Instruction Fuzzy Hash: 6721F6F1C093A89FEB21DB64CC806DA7B74AF45300F1481EAC8CC66656DA344EC6CF51
                                                                Function 3BEB7BA9 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 8a83182f55129e42b541a3deee6ec87b93bd2de8058faa5c4ed02755bc0c932a
                                                                • Instruction ID: 93075da0e0ad5c2b4f381b599c24afb53b09dd2f5f92a14db2cb8957dce3d34a
                                                                • Opcode Fuzzy Hash: 8a83182f55129e42b541a3deee6ec87b93bd2de8058faa5c4ed02755bc0c932a
                                                                • Instruction Fuzzy Hash: 6E11AFB0C087A8AFEB20CB18CD907E97BB4EB45305F1440DAD58D66646DA381FC58F02
                                                                Function 3BEC57EE Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: ce05f57343fb6fb35f3750cd280c89d54947cfdcff4758994c5e5af25b243584
                                                                • Instruction ID: f8a7b83cc0ea431c3e10b0eddc4c800227f91a71156d08bbedfd86c566c932e9
                                                                • Opcode Fuzzy Hash: ce05f57343fb6fb35f3750cd280c89d54947cfdcff4758994c5e5af25b243584
                                                                • Instruction Fuzzy Hash: 591108F2D002199FF714CA08DD89BDBB7B8EB84714F0042F9E90D96240EB355ED08E51
                                                                Function 3BEC48F8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: bfc02db74607a2fad374082bc440882a44fdb18fa3eb009e915cf8e2cbe528fa
                                                                • Instruction ID: 2a785aeea6b1f142ee41b4fdabbad3fbddee8ad24880823b57442e00eb11deba
                                                                • Opcode Fuzzy Hash: bfc02db74607a2fad374082bc440882a44fdb18fa3eb009e915cf8e2cbe528fa
                                                                • Instruction Fuzzy Hash: 9C01D6B2C403195BF7208A08CD49BEBB778EB80710F1082FED50E96140DE745ED58A92
                                                                Function 008F48F8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: bfc02db74607a2fad374082bc440882a44fdb18fa3eb009e915cf8e2cbe528fa
                                                                • Instruction ID: 01ac6b840af7c3cf234fe35b230980817c4432971a92fbf222787bd57ba49e8f
                                                                • Opcode Fuzzy Hash: bfc02db74607a2fad374082bc440882a44fdb18fa3eb009e915cf8e2cbe528fa
                                                                • Instruction Fuzzy Hash: 4801D6B1D4411D5BF7208A24DC45BFBB778FB80310F1082FEE609D6150DA755ED58A92
                                                                Function 3BEC594E Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 2f0a7b190406e02f7951fdd5666d76d5f632156ab35112b740cbb095b10ba99e
                                                                • Instruction ID: f2e5b7c45f143c9ab89107150fe6d14b1172c381313c2434df9fc8d9d621f16c
                                                                • Opcode Fuzzy Hash: 2f0a7b190406e02f7951fdd5666d76d5f632156ab35112b740cbb095b10ba99e
                                                                • Instruction Fuzzy Hash: 900180B1E002159FF724CA09DD44BEFB7B6EBC8705F0081E9E90C57644DA715AD1CE51
                                                                Function 00548CDD Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 7da9b34da933eb82b3e3d2cccf9ac03f4d69967fdff39dd7e497b7ac494cc5fe
                                                                • Instruction ID: 04c98986fda7daa310abb878132b9646612bd4ce5c2002ac6166bbaac81e114a
                                                                • Opcode Fuzzy Hash: 7da9b34da933eb82b3e3d2cccf9ac03f4d69967fdff39dd7e497b7ac494cc5fe
                                                                • Instruction Fuzzy Hash: 9F0128B1D011599EFB60CA15DC88BFE7AB5FBD4308F1480FAD20D66684EE380EC19B11
                                                                Function 005476A3 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 3c1b38a25fdc8e2de1be5dce28c0abe0ca5413b6d9da61b2bb6b2dbed020f691
                                                                • Instruction ID: 372667cc695d65750b9dd8f34a6b2d2ab6715c61892c39b6218722c5dda80af6
                                                                • Opcode Fuzzy Hash: 3c1b38a25fdc8e2de1be5dce28c0abe0ca5413b6d9da61b2bb6b2dbed020f691
                                                                • Instruction Fuzzy Hash: 81012BF6D55748AEFB108965DCDD7FF7A68F714308F1400BBD90A251C0AA780FC44A52
                                                                Function 3BEBFB36 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 7687c3d5f5e5f32277f93cc1f520861e2e3a8ece9d3ce571f9534e378ed6e36b
                                                                • Instruction ID: 8d06c94dcaaa7bbaff95de04bc0b6d066eb8e4bce2a566c6cf49c1f15dd6599a
                                                                • Opcode Fuzzy Hash: 7687c3d5f5e5f32277f93cc1f520861e2e3a8ece9d3ce571f9534e378ed6e36b
                                                                • Instruction Fuzzy Hash: 5F01C0F1D443019FF3248B10DC67FABB728D700B11F1043EDE605652C0DAB80A814F42
                                                                Function 00540C7C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 150e0bff3f0fd519c82fd932d26fb8c87dd71067398a1d6f4a9b709881dac62c
                                                                • Instruction ID: c72a598bbfa7531c5ea741270d2e6bf9fae7d7814fe8404d895eaf2fe2c1d7c9
                                                                • Opcode Fuzzy Hash: 150e0bff3f0fd519c82fd932d26fb8c87dd71067398a1d6f4a9b709881dac62c
                                                                • Instruction Fuzzy Hash: CF2129729116188BDB68CF24CD947ADFBB9FB54341F20C6DD940DAA648D630AB85CF04
                                                                Function 00541F97 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: 0dd488be67c450d0937639697e9db59565c8268bb5d4e7c7d32c4ab70e4c58b2
                                                                • Instruction ID: 9204d2a037500546ae568a469c631a69d3d0a62ed755d00fe4a6a2d61bfd7e44
                                                                • Opcode Fuzzy Hash: 0dd488be67c450d0937639697e9db59565c8268bb5d4e7c7d32c4ab70e4c58b2
                                                                • Instruction Fuzzy Hash: BB21F571A116288BDB68CF14CD947E9FBB5FB94341F10C6DD940DAA648D630ABC5CF04
                                                                Function 3BEB65DB Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 0972d7d4e73790d41f25cf166dfa08cbf310786babae99a9382d6aa5c459bdeb
                                                                • Instruction ID: e8e94615b8faf7a0027092f394428cb5c2ee721c2e43719e6875515a79785d55
                                                                • Opcode Fuzzy Hash: 0972d7d4e73790d41f25cf166dfa08cbf310786babae99a9382d6aa5c459bdeb
                                                                • Instruction Fuzzy Hash: 7301DEB0C0D3999EEF61CB58DC917A8BB78AB05704F1040EB848E95182DE784BC5CF02
                                                                Function 008A16F2 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64GetThreadContext.KERNEL32(?,?), ref: 008A1C52
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 8c098a6acac6bdf9bc360c7bf472d2d58f8e676682caf1c7629f84345a9c8b92
                                                                • Instruction ID: aa7fbb07ce319a8080806e3b03aaf770d1677303e4c3522e608d89cfd13af6cf
                                                                • Opcode Fuzzy Hash: 8c098a6acac6bdf9bc360c7bf472d2d58f8e676682caf1c7629f84345a9c8b92
                                                                • Instruction Fuzzy Hash: DCF04EA3F4421957F7208605DC84DEB7769F7C1324F1842F6E80D93740E5785E429BA2
                                                                Function 3BEC490F Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 7c99aa2ef1d6d4b43470d33901d0641c12083799034dd0b88006a91415536758
                                                                • Instruction ID: fa2ac66ef56d2babff9d896f53d6b368fa2f7fe2a1da59afefe236442f471275
                                                                • Opcode Fuzzy Hash: 7c99aa2ef1d6d4b43470d33901d0641c12083799034dd0b88006a91415536758
                                                                • Instruction Fuzzy Hash: 0101A2B2D403159BF7248A08DD49BEFB7B8EB84710F1082FEE50D96140EE755ED08A92
                                                                Function 00541C09 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • K32GetPerformanceInfo.KERNEL32(?,00000038), ref: 00541FDB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: InfoPerformance
                                                                • String ID:
                                                                • API String ID: 3070290716-0
                                                                • Opcode ID: ddf75e3c94f6f7eabd264be4095cd1d32540989ead409d24619650fbdcd16789
                                                                • Instruction ID: 232ed0f6cb3c65ae7db1455384e31e2269f6e103d388e6c41198fd7aa5f79b50
                                                                • Opcode Fuzzy Hash: ddf75e3c94f6f7eabd264be4095cd1d32540989ead409d24619650fbdcd16789
                                                                • Instruction Fuzzy Hash: F521E471A116288BDB68CF14CD95BEDFBB9BB94341F10C6DE940DAA248D630AF85CF04
                                                                Function 3BEC6891 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 69b08cefd49dd55b361896980a34b9b1129157685e22c8781d8cf5c82a3567dd
                                                                • Instruction ID: 2ae6d91fd2d2550e8fa40cf9471d970aeb0aaf15651540be155ebc8bfed73881
                                                                • Opcode Fuzzy Hash: 69b08cefd49dd55b361896980a34b9b1129157685e22c8781d8cf5c82a3567dd
                                                                • Instruction Fuzzy Hash: B00126B084939C9FF7308B688E85F857BA0AB02710F1403CADA889B0C3DA7259E58747
                                                                Function 3BEC4692 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 2096d848a2c918bb73613acaf5a69768e41e2b836c55beb2415c0272f4ccb7fb
                                                                • Instruction ID: d617fe25adc1c2ee7f998c61c6f40dcf927272fc56a805e8d7cc26ee8c156981
                                                                • Opcode Fuzzy Hash: 2096d848a2c918bb73613acaf5a69768e41e2b836c55beb2415c0272f4ccb7fb
                                                                • Instruction Fuzzy Hash: A101A9B2D403155BF7148908DD49BEF77B8EB84714F0042FEE50D96140DE795ED48B92
                                                                Function 008F6891 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 69b08cefd49dd55b361896980a34b9b1129157685e22c8781d8cf5c82a3567dd
                                                                • Instruction ID: f05ef2939924ad09d3555d114a33af13a30153fc535ccc4fdd47c7d8290d1b38
                                                                • Opcode Fuzzy Hash: 69b08cefd49dd55b361896980a34b9b1129157685e22c8781d8cf5c82a3567dd
                                                                • Instruction Fuzzy Hash: 9101A2B084939C9FFB309B648D85BA47BA4BB02324F1403DADB84DB0D3DA7259D58742
                                                                Function 3BEBFBCC Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 8e377f1436017c98d852b5703657d093bcda267e2ca7d53ad50a524be4e803ee
                                                                • Instruction ID: d356ffa141fa838cb882c1135feb2bfaa8d5a4e87e5046acdcdb7af4d854796a
                                                                • Opcode Fuzzy Hash: 8e377f1436017c98d852b5703657d093bcda267e2ca7d53ad50a524be4e803ee
                                                                • Instruction Fuzzy Hash: 7C0149B1E403159EF7248A14DC66B9AB764D704715F1042EAEA0A661C0CAB44A924F82
                                                                Function 008A7789 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000002), ref: 008A7B03
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 86f76b6614d17a051bda776851b527900005e954d89e016031733f699e39ec76
                                                                • Instruction ID: 388050a39704dfde351dda9410aa7c78e9f8c831f61d4bff0496f45d8c8bf595
                                                                • Opcode Fuzzy Hash: 86f76b6614d17a051bda776851b527900005e954d89e016031733f699e39ec76
                                                                • Instruction Fuzzy Hash: 0C116D74E052299FDB64CA14C884BD9B7B6BB89304F5081DAE50DA7245D7306EC18F91
                                                                Function 0054A9E3 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ExitProcess.KERNEL32(4F56E159,?,?,?,?,?,?,?), ref: 0054AF1B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ExitProcess
                                                                • String ID:
                                                                • API String ID: 621844428-0
                                                                • Opcode ID: 589bf3444c04627360982fcb91a84b097f39daff2c3a021ab98682fbcd18fbee
                                                                • Instruction ID: 1fb7ca9e4a06676fdcce1ad24c486a509610ea55bb13cb0fe19003492f56ba8d
                                                                • Opcode Fuzzy Hash: 589bf3444c04627360982fcb91a84b097f39daff2c3a021ab98682fbcd18fbee
                                                                • Instruction Fuzzy Hash: DCF059F3E081059BF714591AEC598FBBBA1EB84310F1005B7D80F932C0E5791A879992
                                                                Function 3BEB6924 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 7ccd72c164a6a63abb6b1a0ca6adb13bf7a71921eec9e054ea4c4f66b8b686a3
                                                                • Instruction ID: 73589e04e40ba5d9a2698aeb0643a79332e8f103f5b93e1bc04044eecbb282df
                                                                • Opcode Fuzzy Hash: 7ccd72c164a6a63abb6b1a0ca6adb13bf7a71921eec9e054ea4c4f66b8b686a3
                                                                • Instruction Fuzzy Hash: 7801ADB080DB989EEF218B64EC913E87F74EB85301F1485DB858A5A582DA344EC5CF42
                                                                Function 3BEC5829 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: a3ff26130b87f4c6e6cf8e8527dfe7ef5916ab7469b4874f2affc48c7914ffc7
                                                                • Instruction ID: 5fc18bcf824affef868c1e668c0fd8b8b26b87db6aff9a71781a53eaaa7b957f
                                                                • Opcode Fuzzy Hash: a3ff26130b87f4c6e6cf8e8527dfe7ef5916ab7469b4874f2affc48c7914ffc7
                                                                • Instruction Fuzzy Hash: 48F0FFB29042259BE724CA08DD45BEBB3B9EB84744F0042F9E50CC6240EA309EC08B81
                                                                Function 3BEB7C97 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: b5b16123d979ef107935534d65d5280034cb6f277c15b7f94b4371f8bd0fd022
                                                                • Instruction ID: dd780ec795cdb5cb3607ca565754beef006dfde77a823136e8d6e3c90c7455d2
                                                                • Opcode Fuzzy Hash: b5b16123d979ef107935534d65d5280034cb6f277c15b7f94b4371f8bd0fd022
                                                                • Instruction Fuzzy Hash: 5B019EB08497989FDB21CB64CC802E87BB4BF46300F1481DAC88966642D9354EC6CF02
                                                                Function 3BEBEC1A Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: bc28fe50a3e8f760e5f7430cb8f6fe7245352ee726830db6f4d766f2b14a25ad
                                                                • Instruction ID: c6f4d85d226a2df1edcc9de2b201c0e993e13d764e51b2a0a468043ff2deaf90
                                                                • Opcode Fuzzy Hash: bc28fe50a3e8f760e5f7430cb8f6fe7245352ee726830db6f4d766f2b14a25ad
                                                                • Instruction Fuzzy Hash: 43F08BB0E483519EF7344614DC67BAA3B64D300B16F0003EAF246750C0C9B845914F82
                                                                Function 3BEBEC15 Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 3BEBFFDF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 3c93fb828ada443b9efa170ebd41a4fb8ecfc03bb988ab3c230753c55dd2ba9a
                                                                • Instruction ID: 9f785bc9f4d8b679bd155113f40e95c30d7087b7068944d46f9122338b1a57b2
                                                                • Opcode Fuzzy Hash: 3c93fb828ada443b9efa170ebd41a4fb8ecfc03bb988ab3c230753c55dd2ba9a
                                                                • Instruction Fuzzy Hash: 44F02BB1D483559EF7344614DD67BAA7754D304B16F0003AAF61A750C0DDB946D14E83
                                                                Function 008A0888 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64GetThreadContext.KERNEL32(?,?), ref: 008A1C52
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 3e1a71f1e1229be6389425e9d7b94b1e9cdb5c319d6177a78429b1da9a49a8e2
                                                                • Instruction ID: 8bbb1c1f3fc321fad5326accc3f02082d57e4e7debc70145b6f47ca7f3b8d403
                                                                • Opcode Fuzzy Hash: 3e1a71f1e1229be6389425e9d7b94b1e9cdb5c319d6177a78429b1da9a49a8e2
                                                                • Instruction Fuzzy Hash: E0F024A3F4411956F7108555EC48AE7B659E7C1328F1D42B6E80D43680E5B85A4286E7
                                                                Function 008A1103 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64GetThreadContext.KERNEL32(?,?), ref: 008A1C52
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: e8a0da94e03c2ca990e8df0baf023a24f2e9310f9c78de3821ab3bc752b7ce53
                                                                • Instruction ID: fd3ac5da4a2994ae997b93528c11e0ad93b566e0474b553a1596172484ce6a2e
                                                                • Opcode Fuzzy Hash: e8a0da94e03c2ca990e8df0baf023a24f2e9310f9c78de3821ab3bc752b7ce53
                                                                • Instruction Fuzzy Hash: B5F059A3F5551957F7108511EC48BF77659F3C1328F2C82B6E80D42A40AA784E4246A2
                                                                Function 008A368E Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: b1b0aa7b1dcbee0c97987e4577207dfe96ed0bb0c124736661a43d39d5c6097d
                                                                • Instruction ID: 87321f809202ad382e088ccd1603fb657f846f884fd76157359bf803fd347c5e
                                                                • Opcode Fuzzy Hash: b1b0aa7b1dcbee0c97987e4577207dfe96ed0bb0c124736661a43d39d5c6097d
                                                                • Instruction Fuzzy Hash: 5DF0AF70E9426D8FEB24CE24CC81BA9B375FB41304F2445DAE949AB210EA316E90CF51
                                                                Function 008B397D Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 008B3D9D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: eb6e6033f83c1b800f464117a870e0b5270601a7969b9483d7cde954c8190ac9
                                                                • Instruction ID: cfafa23fb0e755d7cdb1297f2917f26372d3d0b87b998f88f4a7e801a56165d6
                                                                • Opcode Fuzzy Hash: eb6e6033f83c1b800f464117a870e0b5270601a7969b9483d7cde954c8190ac9
                                                                • Instruction Fuzzy Hash: 42F0A4F1D140189BEB24CA14DC459EAB371EB84310F1482FEE90D53740DA346F818E51
                                                                Function 3BEB7854 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 889e97d6c987780d42274e28564b4d68900ddf24bbc49eca2263a908929c36e8
                                                                • Instruction ID: 3050c1aaa267490527685f98fad68d76076755d949caeb68c4e1c8309a75986c
                                                                • Opcode Fuzzy Hash: 889e97d6c987780d42274e28564b4d68900ddf24bbc49eca2263a908929c36e8
                                                                • Instruction Fuzzy Hash: 6F018BB0C097989FDB258F64CC806E97B74EF85300F1481DB858E6A686DA344EC6CF51
                                                                Function 005488EE Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 59606b1561a1596bb3b3f7a52d5543d4f86b5cd184bd1a5d175335cdb2ad6d12
                                                                • Instruction ID: a12b2f2d7e0b1a819ae424ff45600a5322098fc6dc9dd4e605b6b94e0f9a090e
                                                                • Opcode Fuzzy Hash: 59606b1561a1596bb3b3f7a52d5543d4f86b5cd184bd1a5d175335cdb2ad6d12
                                                                • Instruction Fuzzy Hash: C9F0F6B0D003599EDB508A54DCC8AEE7AB4FB14344F2440F5D60966140DA305F809F41
                                                                Function 00548976 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 7f83a5948cd5fa08e66a535b4ca4a47da19c6527dbbe5bf6e712a519cd15ffd5
                                                                • Instruction ID: 7730eb1af8466d1ac804f2c728d1f4fb9ed6b4115c5e9f5ededf855cea689a36
                                                                • Opcode Fuzzy Hash: 7f83a5948cd5fa08e66a535b4ca4a47da19c6527dbbe5bf6e712a519cd15ffd5
                                                                • Instruction Fuzzy Hash: 42F0F0B1D04259EEEB548A24DC98BFEBA74FB14344F2441EAE20A66280EE305F809F41
                                                                Function 3BEB71B6 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: a3673533a87154fac15baa9fbaad9243ba3a695150b45407d42062fa27ed3f64
                                                                • Instruction ID: c1ce0eb21da213b938b4759a13900fa736395a06ce3bcd4b349a8d93f6ca5613
                                                                • Opcode Fuzzy Hash: a3673533a87154fac15baa9fbaad9243ba3a695150b45407d42062fa27ed3f64
                                                                • Instruction Fuzzy Hash: CBF062B08097989EEB119B64DC847E87B74EF46304F1485CB858959952D9344EC6CF12
                                                                Function 3BEB7CA9 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 8be58a5ba2d8708b62efebd91eaa6239e09be156fd4e2911a248c9f1854826e2
                                                                • Instruction ID: d73b605ed607305f4834868ba14e6ab7879ada61edb42c8a85a060c6f06ed6c2
                                                                • Opcode Fuzzy Hash: 8be58a5ba2d8708b62efebd91eaa6239e09be156fd4e2911a248c9f1854826e2
                                                                • Instruction Fuzzy Hash: FB016DB0C097A89FDB21DF54CC806E9BBB4FF4A300F1484DAD989A6652DA345EC5CF51
                                                                Function 3BEB7798 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 89d94bef9597d4d92e84d7933236b5f247e91ef74edf0ef0d6301d513ff85d72
                                                                • Instruction ID: 0a6bf90621a59a0e15edda256ce34c6d58f2ac24aed5d6eaa228e63d9930168c
                                                                • Opcode Fuzzy Hash: 89d94bef9597d4d92e84d7933236b5f247e91ef74edf0ef0d6301d513ff85d72
                                                                • Instruction Fuzzy Hash: 24016DF0C097989FDB21CB64CC806E9BB74AF85300F1481DA858D66A56DA344FC6CF52
                                                                Function 3BEC5D47 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: c95596273da07887f75c34247230870368e1932c61e38ee3b380f087e92f8b45
                                                                • Instruction ID: 0c192a79106b0717ae6f5ab34e09ee2b802b58050b3c45e68009719a4f9e5d9f
                                                                • Opcode Fuzzy Hash: c95596273da07887f75c34247230870368e1932c61e38ee3b380f087e92f8b45
                                                                • Instruction Fuzzy Hash: 95F09071D453259BE724CA08CD45BDFB7B9ABC4740F0081EAE80D97240DA715E918F92
                                                                Function 3BEC5D42 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 44e092d4f00f339af3886883f2f3d58f815fc98c0d3cbf728c229977b94ef947
                                                                • Instruction ID: dca7bec64f297055ac0e9062a5594180e26d47661e4c938f79884ccc3e451106
                                                                • Opcode Fuzzy Hash: 44e092d4f00f339af3886883f2f3d58f815fc98c0d3cbf728c229977b94ef947
                                                                • Instruction Fuzzy Hash: D2F090B1E013299BE724CA09DD49BDFB7B9ABC4740F0081E9E80D57200EA715E918F92
                                                                Function 0054883B Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00548D68
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 9e9220c42fb87bd58d36238439cb5af835d38d135e16808607df36c22974fa7f
                                                                • Instruction ID: 8c9ca9a7dca5ed771ed165a591ec9678ecae8819058ba7b89c7fff60b9c34f78
                                                                • Opcode Fuzzy Hash: 9e9220c42fb87bd58d36238439cb5af835d38d135e16808607df36c22974fa7f
                                                                • Instruction Fuzzy Hash: 10F0E9B5D00259EEDB508A24DC89BEE7BB8FB14348F1440EAE50A66240EE305FC09F51
                                                                Function 3BEB71B1 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 4da155b7270e5f763f467b2bbea9c4e1a0f2ecb59df55eef71f64e930374b23a
                                                                • Instruction ID: 5830a3c5ab1e28fd9235a259c97ad4901c6226f48de6ef6b530a67b49515a5e3
                                                                • Opcode Fuzzy Hash: 4da155b7270e5f763f467b2bbea9c4e1a0f2ecb59df55eef71f64e930374b23a
                                                                • Instruction Fuzzy Hash: 5DF06DF080D398AEEB218B64DD807E97F74AF46300F1484DBC98D59A42E9344EC6CF52
                                                                Function 3BEB693B Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 73216912db791f1a54dbe9b6b37dc1ced7121c660562699ef8032e48f08030e6
                                                                • Instruction ID: 880204e945a12b8915141b2ea8009258a35b997b13db92d3c4fc8559747f518e
                                                                • Opcode Fuzzy Hash: 73216912db791f1a54dbe9b6b37dc1ced7121c660562699ef8032e48f08030e6
                                                                • Instruction Fuzzy Hash: C0F049B080D7985EEB618B64DCA13E97F74AF4A300F5490CB858A59586DA784AC6CF42
                                                                Function 3BEC68AE Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(FFFFEC10,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 3BEC7C76
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 5917ee02ac80a25e1e350b8ad602b8dec04e6f8841636b6bfab8aaae1c87dd5e
                                                                • Instruction ID: 93458d21e52be1ac4ce7d9aa71ffcb2c4af22b71e96577cf26a00eaa68034c10
                                                                • Opcode Fuzzy Hash: 5917ee02ac80a25e1e350b8ad602b8dec04e6f8841636b6bfab8aaae1c87dd5e
                                                                • Instruction Fuzzy Hash: 06F0E2B084535C9AF7308B288F46F89B360B701714F5043C5DA4C6A0C2DE725AE88787
                                                                Function 008AF9AE Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 008AFF17
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 4b1e88e36ce93b7ba24727c0c3308c50cd09e8843a5764623ac154bd2e5a63f4
                                                                • Instruction ID: 1f73000797291e8e04da5e784c3202668843c9db1c75effb0fd0d8e531d94c79
                                                                • Opcode Fuzzy Hash: 4b1e88e36ce93b7ba24727c0c3308c50cd09e8843a5764623ac154bd2e5a63f4
                                                                • Instruction Fuzzy Hash: 49F09071A091588BDB21CB64CC50BE9F7B4FF8A704F0506DAD609D7252E7726E80CF50
                                                                Function 0089CD1F Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 008A3BFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 625410a37b22a9b7d6fe6919a752dbb3e7a8ca3ed0d2f590c162f39962028468
                                                                • Instruction ID: b3b4baea4cee564d4cbd11570f8ebc10346607bbdb9ff657b281a847e304b7e0
                                                                • Opcode Fuzzy Hash: 625410a37b22a9b7d6fe6919a752dbb3e7a8ca3ed0d2f590c162f39962028468
                                                                • Instruction Fuzzy Hash: 89F0F970A4425E9BEB64CF14CC81BE9B3B5FB45304F1442DAA909EB740E6716F90DF91
                                                                Function 008F68AE Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(FFFFEC10,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 008F7C76
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199701952.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_8e0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 5917ee02ac80a25e1e350b8ad602b8dec04e6f8841636b6bfab8aaae1c87dd5e
                                                                • Instruction ID: c11f6d7c43eac3d6beb82cf21ae15a0d80088232231b1273852b8ebc1b0bc89c
                                                                • Opcode Fuzzy Hash: 5917ee02ac80a25e1e350b8ad602b8dec04e6f8841636b6bfab8aaae1c87dd5e
                                                                • Instruction Fuzzy Hash: 2CF0A7B084925C96F7308B344E45FA8B760F701324F6043D9DB49EA1C2DA725AD98783
                                                                Function 3BEC5254 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 1737019ecd1178840d42969b53393d212ccb7ff45af6c1efb5a35208b3742a33
                                                                • Instruction ID: 478afbd8f6fe1d765361eb85f37fa75f9c959812dbab8d57f1ded16ef341d99b
                                                                • Opcode Fuzzy Hash: 1737019ecd1178840d42969b53393d212ccb7ff45af6c1efb5a35208b3742a33
                                                                • Instruction Fuzzy Hash: 42E0E5B19453049BF714CE08DD85BDFB3B8FB84B00F0042D9E90C96140EE315AD04B92
                                                                Function 3BEB71C0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 3BEB7CFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory
                                                                • String ID:
                                                                • API String ID: 4241100979-0
                                                                • Opcode ID: 3ceba7b5edd1d0aae760407d4cdb6dbc1adc1b9b3abc873ebccaf818db68ac8a
                                                                • Instruction ID: a1bbf8d19ed28d423987352a7b902de8c9c6628a309dd3e4ec48fe195baf93e2
                                                                • Opcode Fuzzy Hash: 3ceba7b5edd1d0aae760407d4cdb6dbc1adc1b9b3abc873ebccaf818db68ac8a
                                                                • Instruction Fuzzy Hash: 8DF030B08097985EDB219B64DC807D87F74AF46300F1484CB858995546D5384AC6CF52
                                                                Function 008A36A3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 008A3BFA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: MemoryProcessRead
                                                                • String ID:
                                                                • API String ID: 1726664587-0
                                                                • Opcode ID: 989f7e2691895f4c4eae5f5a1ac0169af1bae3fdc8fde973d8a10aeb4075cbd5
                                                                • Instruction ID: 53a1da261af16fba0d8d00dfbe5ce28d9fde1e39d4f7ce7e0a348bdb7b440bea
                                                                • Opcode Fuzzy Hash: 989f7e2691895f4c4eae5f5a1ac0169af1bae3fdc8fde973d8a10aeb4075cbd5
                                                                • Instruction Fuzzy Hash: 65F08C70A8425E8BEB24CE10CC41BA9B3B5FB44304F1402EAA909E7340EA316E90CF51
                                                                Function 3BEC590E Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: 47fe5f217c72ca5ca5e0fa0af1c64c4ca912e62872e5afa83144d4973201f4c0
                                                                • Instruction ID: ee5dcfd491bbf3425d46816bb28d11d3725fa8965a215c1dce42f88f11bee442
                                                                • Opcode Fuzzy Hash: 47fe5f217c72ca5ca5e0fa0af1c64c4ca912e62872e5afa83144d4973201f4c0
                                                                • Instruction Fuzzy Hash: 71F01C71E452199FEB24CE08DD85BDFB3B5AB88740F0041E9E90D97240EB715E908F52
                                                                Function 008B3D60 Relevance: 1.5, APIs: 1, Instructions: 24threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 008B3D9D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 6af1f9d2bdd9226b58ddcdfc8b66c678bf12d2fca36443aece06f2f9f4abe799
                                                                • Instruction ID: e39d334843af9005a084217a7ff7877dd6263a1b437e74e43f0ca338152a3efc
                                                                • Opcode Fuzzy Hash: 6af1f9d2bdd9226b58ddcdfc8b66c678bf12d2fca36443aece06f2f9f4abe799
                                                                • Instruction Fuzzy Hash: 20F0FEB5E5912C8BDB24CA54DC84AD9F371FB88314F1482E9E90DA3300D6705F81CF85
                                                                Function 3BEC587C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 3BEC5DA9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2226407251.000000003BEB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 3BEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_3beb0000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: f0330247564dc4767c04e071366ff6f88d16d1fcaafbe75ff3ee70370e0235b4
                                                                • Instruction ID: 200bd145e95fa15cd4e579e93aa0e14f5dda8129bfb2cd4a8d22e6ab8e3620b8
                                                                • Opcode Fuzzy Hash: f0330247564dc4767c04e071366ff6f88d16d1fcaafbe75ff3ee70370e0235b4
                                                                • Instruction Fuzzy Hash: B5F01C71A452199FEB24CE04CD85BEFB3B5AB84641F0041DCE90D96240DB715E908F41
                                                                Function 008B326E Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 008B3D9D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: ContextThreadWow64
                                                                • String ID:
                                                                • API String ID: 983334009-0
                                                                • Opcode ID: 25eab12cdd1881c58f0784d1ea844a7281fa14ee3f30fa1b374599663eeac4c7
                                                                • Instruction ID: a9282d6e80755cc96e049e173ac1c519f864be8997ad0f4719a45004a9505ce2
                                                                • Opcode Fuzzy Hash: 25eab12cdd1881c58f0784d1ea844a7281fa14ee3f30fa1b374599663eeac4c7
                                                                • Instruction Fuzzy Hash: EEE0EDB195912C8BDB24DA54DC44AE9B374FB48314F1442D9E909A3301D6705F819F91
                                                                Function 008954C7 Relevance: 1.4, APIs: 1, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 19e9cf5a1c1cc5203cd2dd0ba82218c2acd3c1330582572b0102b56d5fbdad39
                                                                • Instruction ID: 15fcc64598406632433efd5e90e2d1afa65a55d838cfdada9dd0aa4462a184f8
                                                                • Opcode Fuzzy Hash: 19e9cf5a1c1cc5203cd2dd0ba82218c2acd3c1330582572b0102b56d5fbdad39
                                                                • Instruction Fuzzy Hash: 9E6104A1D045289EEB25AB64DC587FA77B5FF81309F1840FAD44EE6281E7780EC5CB12
                                                                Function 00896562 Relevance: 1.4, APIs: 1, Instructions: 185memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 3a2a005e3ecbe70028827913c9b8a22539d5b69178a6e777e11957e47e742657
                                                                • Instruction ID: 6b776ba6256c79084dc36f0674dde34d01ed0fde67a2066bee7f6b265e80bb9c
                                                                • Opcode Fuzzy Hash: 3a2a005e3ecbe70028827913c9b8a22539d5b69178a6e777e11957e47e742657
                                                                • Instruction Fuzzy Hash: 5861D0B1D045299FEB209A14DC58BEBBBB5FB80319F1801FAD80DA6280E7785ED1CF51
                                                                Function 00895467 Relevance: 1.4, APIs: 1, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 079e5bb0d5becda0254310098e1766e096602e53eadd165bae30918e560c8f3b
                                                                • Instruction ID: e7ada96e59bfe3db44c76e529841a210e5e7377711283661c2501658af5352c2
                                                                • Opcode Fuzzy Hash: 079e5bb0d5becda0254310098e1766e096602e53eadd165bae30918e560c8f3b
                                                                • Instruction Fuzzy Hash: 445105A1D045289EEB24AB64DC547FA7775FF81319F1840FED40DA6280E3781EC5CB52
                                                                Function 00895478 Relevance: 1.4, APIs: 1, Instructions: 173COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 320e515f3a01278530aed95d9e5a5059ef9cd0be8eeac83e70b76c15e0da0a7c
                                                                • Instruction ID: 36e1a0a1a587c2c5bff31ac296a0de5d6d26bda63d9ad37b81a7c6aea238b70b
                                                                • Opcode Fuzzy Hash: 320e515f3a01278530aed95d9e5a5059ef9cd0be8eeac83e70b76c15e0da0a7c
                                                                • Instruction Fuzzy Hash: 4451F3A1D045289EEB24AB64DC547FAB775FF81319F1840FAD40EA6280E3B81EC5CF12
                                                                Function 008954B0 Relevance: 1.4, APIs: 1, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 41b728e973fefd40d84a6473778ed0205eabd845dd9657455c1ad525a2b8e602
                                                                • Instruction ID: 0bc6b3c60b8b20b8a476797ea6fa058465d06f6d3097cb23373015210a5ddd17
                                                                • Opcode Fuzzy Hash: 41b728e973fefd40d84a6473778ed0205eabd845dd9657455c1ad525a2b8e602
                                                                • Instruction Fuzzy Hash: D05126A1D045289EEB24AB24DC547FA7774FB80319F1801FED40EA6281E3B81EC5CF12
                                                                Function 0089F72C Relevance: 1.4, APIs: 1, Instructions: 150memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: e554d3377cd69e0e0acd52f5144e21c496007c7a32a2cd0d613f850e24a2d931
                                                                • Instruction ID: 3e5dd4749b389ac6f90603a1d5585d0e0b0db8957fe2cf034a37034eb4dd7161
                                                                • Opcode Fuzzy Hash: e554d3377cd69e0e0acd52f5144e21c496007c7a32a2cd0d613f850e24a2d931
                                                                • Instruction Fuzzy Hash: 0B5128F1C012989FEB289B14DC61BF67778FB41318F1441FED68AD2282D6745EC18E41
                                                                Function 00895E5A Relevance: 1.4, APIs: 1, Instructions: 144memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 6dc3772f428c3de515bb6db0cc3bc38c0145c5839b3ca07ec8f144fc5eaae238
                                                                • Instruction ID: ca319c354615d9a6a261fa7fda7be01fd19f5f7d6707261bd3b4fdfb85577afd
                                                                • Opcode Fuzzy Hash: 6dc3772f428c3de515bb6db0cc3bc38c0145c5839b3ca07ec8f144fc5eaae238
                                                                • Instruction Fuzzy Hash: B851E0B28045289BEB259A24DC58BEA77B9FB80319F1841F9D40DE6A80E77C5FC4CF51
                                                                Function 00895505 Relevance: 1.4, APIs: 1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 30d6a27fcb588c09c6c8bb05ccd0091f17b35592794b2dd488fcaead06f647b6
                                                                • Instruction ID: 70938426f99a7ed7c7bdac9673f38cbbf12d8b57cc69501d2862d6fd79672024
                                                                • Opcode Fuzzy Hash: 30d6a27fcb588c09c6c8bb05ccd0091f17b35592794b2dd488fcaead06f647b6
                                                                • Instruction Fuzzy Hash: C841F0A1D055299EFB24AA10DD587FAB7B5FB80319F1801FED40EA6180E3B81EC5CF12
                                                                Function 00895AEC Relevance: 1.4, APIs: 1, Instructions: 123memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 0a7c33062406aebd17d1a924a42dd99fe0caa8e63e02dcba4bea1733c862e851
                                                                • Instruction ID: 9324175f3d236d7e1df85dfe2d5d16cf24649f7d44fdbc858b8c5c9a1793095e
                                                                • Opcode Fuzzy Hash: 0a7c33062406aebd17d1a924a42dd99fe0caa8e63e02dcba4bea1733c862e851
                                                                • Instruction Fuzzy Hash: 204192B2D04529ABEB259A14DC48BEA77B9FB80319F1840F9D50DE6680E7781FC4CF11
                                                                Function 008959B0 Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 627a1c31879ae3f1f6f622f1c0c184054866aba6415f6fe3ecef29248e607345
                                                                • Instruction ID: ac36af7ed7c0b0667df2f960dddd1d3cc6d9749e0d796d5a735ddab1dfe1bb2b
                                                                • Opcode Fuzzy Hash: 627a1c31879ae3f1f6f622f1c0c184054866aba6415f6fe3ecef29248e607345
                                                                • Instruction Fuzzy Hash: 5A41A1B19045199FFB219A14DC88BEAB7B9FB80319F2841F9D40DA2580E7791FD5CF11
                                                                Function 008969A9 Relevance: 1.4, APIs: 1, Instructions: 119memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 6b52c9bd5cd35f8fde46274a5cadb98086fa936bbc3b249f4884afbc47d0d8e1
                                                                • Instruction ID: 2bb0c895ce398af059f3e3549eca6b75f23eb464ddc4c5bee30e26da573c3126
                                                                • Opcode Fuzzy Hash: 6b52c9bd5cd35f8fde46274a5cadb98086fa936bbc3b249f4884afbc47d0d8e1
                                                                • Instruction Fuzzy Hash: BB41E0B19001699FEF24DA54DC98BFA7BB5FB41319F2841E9D409E6180E7781ED4CF41
                                                                Function 004026B0 Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 90853c554411dfcf14930fdbbeb2311955c14448743e8d1d2cd89427394e690a
                                                                • Instruction ID: 92a2407643f5f06c86bf51bc5a26a80cc6295a71d8da75017e0fe8487857f1b5
                                                                • Opcode Fuzzy Hash: 90853c554411dfcf14930fdbbeb2311955c14448743e8d1d2cd89427394e690a
                                                                • Instruction Fuzzy Hash: E3316BB28096916FE7019B30AC4DBFA3F65FFC2309F0844FAE4455A483D239544AD762
                                                                Function 00895B28 Relevance: 1.4, APIs: 1, Instructions: 105memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: d5941c21ee62b00bdd138d896b61674c8fa5a209843a8ab524520f43a098dc5c
                                                                • Instruction ID: 565c5b2dc421461d2eddf3da6b99e16f490f53ad021b61fb1cfc45f81be694cb
                                                                • Opcode Fuzzy Hash: d5941c21ee62b00bdd138d896b61674c8fa5a209843a8ab524520f43a098dc5c
                                                                • Instruction Fuzzy Hash: 3941B0B1D046289FEB259A14DC98BEAB7B9FB80319F1840F9D40DA6680E7791FC4CF11
                                                                Function 008959F9 Relevance: 1.3, APIs: 1, Instructions: 99memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 7c00e052772e684cd05d6c0d41aca2f146f125b55617b865bf1b739c07cefec6
                                                                • Instruction ID: 8901193e7e191737ecaac21d236370b6417c2e9dec633d87292b72f94af40f60
                                                                • Opcode Fuzzy Hash: 7c00e052772e684cd05d6c0d41aca2f146f125b55617b865bf1b739c07cefec6
                                                                • Instruction Fuzzy Hash: AA4182B19046299FEB319A14DC98BEAB7B9FB80319F2840E9D40DD6580E7791FC5CF11
                                                                Function 008969EA Relevance: 1.3, APIs: 1, Instructions: 95memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: ffadc30819fd47260dec25e684920bac409ef7f22704a88c59984bda8934808c
                                                                • Instruction ID: b8705c633246bda0d158fe863a9dce51ccb1bedb72ea4dce631f15cde6599140
                                                                • Opcode Fuzzy Hash: ffadc30819fd47260dec25e684920bac409ef7f22704a88c59984bda8934808c
                                                                • Instruction Fuzzy Hash: 4D41DEB08006699FEF24DA54DC98BFA7BB9FB40329F2801E9D109E6181E7791ED5CF01
                                                                Function 0054663A Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 40271f1d74712419302199915dbdcb29aedb7cd8383cc6fd1a28ca08dcc7dd0b
                                                                • Instruction ID: b3f090e60090d80c4ec7009055afb4405dda0ac0d2ba6541383f34111ed5052a
                                                                • Opcode Fuzzy Hash: 40271f1d74712419302199915dbdcb29aedb7cd8383cc6fd1a28ca08dcc7dd0b
                                                                • Instruction Fuzzy Hash: DF3128B2D066559FF7108A20CD89FEA7F34FB92309F0441FBD84956681D6385DC68F22
                                                                Function 008953CE Relevance: 1.3, APIs: 1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 8164a54eaac1fe58dae35d80ddbff3eecd5c86d4d4afbb0638b86fcfcf3c9d56
                                                                • Instruction ID: b0e154617714e47b9c978d9fb4d3f032122ac89df8ffbfdedac1652269e6c80f
                                                                • Opcode Fuzzy Hash: 8164a54eaac1fe58dae35d80ddbff3eecd5c86d4d4afbb0638b86fcfcf3c9d56
                                                                • Instruction Fuzzy Hash: 2331C0B0904519AEFB25AA00DC597EA77B5FB8131AF2840EDD00ED5181E7B81ED9CF12
                                                                Function 0089F6AC Relevance: 1.3, APIs: 1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: fcfec64b2f459e2e40738ad50382c71cd9790dc031c0a733d6dc0be868121ab7
                                                                • Instruction ID: 45d7557a228179cf0ec1d7a97ca8e634cf81b3b345ab28dd0ff76389eb152d48
                                                                • Opcode Fuzzy Hash: fcfec64b2f459e2e40738ad50382c71cd9790dc031c0a733d6dc0be868121ab7
                                                                • Instruction Fuzzy Hash: 6B216BB2D4022CAFFB248A14DC85BE77B74F780324F1401BAD94D96281D2B51EC68E92
                                                                Function 005466F0 Relevance: 1.3, APIs: 1, Instructions: 82memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 6454830a4f054a16947425cb9900bbae0bf35ca6845a0f0611ab251f2c45df10
                                                                • Instruction ID: 30ee51ec892e40171fe6d2e2ff3573e3b3de5bb88e1c9bee8844361c5e267ec0
                                                                • Opcode Fuzzy Hash: 6454830a4f054a16947425cb9900bbae0bf35ca6845a0f0611ab251f2c45df10
                                                                • Instruction Fuzzy Hash: E72155F2E053559FF3104A20CC88BA67E39FBD2309F0541FAD84C56285D6780EC68F22
                                                                Function 00895344 Relevance: 1.3, APIs: 1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: ed4a8d80a7f211fa34c9ea690a621adddbf6b81696f7452e8f3b4041c4f785d6
                                                                • Instruction ID: 64eb29431a8cd0a627fb73869059dbda80304ffaf97eae36a047acaaf1968f30
                                                                • Opcode Fuzzy Hash: ed4a8d80a7f211fa34c9ea690a621adddbf6b81696f7452e8f3b4041c4f785d6
                                                                • Instruction Fuzzy Hash: 8131C3B09046199FFF25AA10DC587EA77B5FB4131AF2840E9D409D5181E7B80ED5CF12
                                                                Function 00896A6A Relevance: 1.3, APIs: 1, Instructions: 76memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 7ac4d2b4905567a6e88836432dafe0c2d797d912567251b6eb54dfbef2577bab
                                                                • Instruction ID: 3f2f1dcd2d9c125c82de2e39eb7bab9155720a0987b6966bfa2b224503345986
                                                                • Opcode Fuzzy Hash: 7ac4d2b4905567a6e88836432dafe0c2d797d912567251b6eb54dfbef2577bab
                                                                • Instruction Fuzzy Hash: 5E318FB09002299FFF249A14DC58BFAB7B5FB40319F1800E9D509A6280E7B91ED4CF51
                                                                Function 00895709 Relevance: 1.3, APIs: 1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: b62ad6a7f0aab75346c870d8489d4f7b6f1fb45f3e973621976ff543b5d252eb
                                                                • Instruction ID: 99d1ca62c514426646cd81175e19d764c7833bfe1e43cd2994572dca48df8d52
                                                                • Opcode Fuzzy Hash: b62ad6a7f0aab75346c870d8489d4f7b6f1fb45f3e973621976ff543b5d252eb
                                                                • Instruction Fuzzy Hash: 9021BCB09046199EFF25AA10CC587EAB7B5FB4131AF2800E9D00AD6181E7B80ED9CF12
                                                                Function 0089F962 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 1480d8d4cdf07f93a2b377e4d2fa41717d8b781a4d6b462fedf04bb82925dd48
                                                                • Instruction ID: 6a27ebc01bc1dcb41d52ff2151549806a4ffacf668c24524810e9ba2240fc7ff
                                                                • Opcode Fuzzy Hash: 1480d8d4cdf07f93a2b377e4d2fa41717d8b781a4d6b462fedf04bb82925dd48
                                                                • Instruction Fuzzy Hash: 6E218BB1E456289FEB24DA14CC40BAAB7B1FBC4329F1481F9D90CA7342D6315ED1CE81
                                                                Function 00895737 Relevance: 1.3, APIs: 1, Instructions: 59memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: e18a0dd44b4699bd0716cdf494cd7dae33980a68cc50f531410840667f69fd55
                                                                • Instruction ID: e35e6181aab4aedeb1a05c85298f03739a84a26e582fd3b353099731d3dbcdb6
                                                                • Opcode Fuzzy Hash: e18a0dd44b4699bd0716cdf494cd7dae33980a68cc50f531410840667f69fd55
                                                                • Instruction Fuzzy Hash: 6F215EB09045199BFF25AA10DC58BEAB7B5FB81319F2800E9D00ED6181E7B91ED9CF11
                                                                Function 00546B60 Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 8d9ee259ff3f94485c1f37c7a59302eb98429301dbdbfab71f1e43876b62d993
                                                                • Instruction ID: d23a00b70988f22ca2388678a4acee2fd5b2280af2d9b29f9278514ec95cc5f3
                                                                • Opcode Fuzzy Hash: 8d9ee259ff3f94485c1f37c7a59302eb98429301dbdbfab71f1e43876b62d993
                                                                • Instruction Fuzzy Hash: E811E3F2D092619FF3104A10CD49BFA7E34FBD2315F1481FAD54D5A585D2391E868B62
                                                                Function 00546680 Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: ac22baa1be71debf2615b1886561a3e15a5791230d8d2906a002dffa5220dbc6
                                                                • Instruction ID: 06a482c6c4d7caa1dad016bb6d709eb7ef82b769fc9ce01a05f5b11c1df2d086
                                                                • Opcode Fuzzy Hash: ac22baa1be71debf2615b1886561a3e15a5791230d8d2906a002dffa5220dbc6
                                                                • Instruction Fuzzy Hash: 431123B2D066619FF3108A20CD4CBEA7F34FBC1306F0440FAD84C6A586C6380E86CB62
                                                                Function 008966F0 Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 2b044ff38f519fdca33a3187307b03a8436c414e9064ba15c8dfb274331cbb5d
                                                                • Instruction ID: 2b8c0d77f0515ee244ce80e4e93b5f6613ad8170f1d69fb9e9e518c47fe554b6
                                                                • Opcode Fuzzy Hash: 2b044ff38f519fdca33a3187307b03a8436c414e9064ba15c8dfb274331cbb5d
                                                                • Instruction Fuzzy Hash: 20213BB09055299FEF25AA10DC58BE9B7B5FB41319F2800E9D409E6281E7791ED4CF01
                                                                Function 00896668 Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00896AF4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: e47c5292232cf840c791c5023726676e7b93899ee519080754b9ced792c4061f
                                                                • Instruction ID: d6802ae1c4425f9cf720b5cef38de9540c20b742a473e12b68c2aad70a5d6431
                                                                • Opcode Fuzzy Hash: e47c5292232cf840c791c5023726676e7b93899ee519080754b9ced792c4061f
                                                                • Instruction Fuzzy Hash: D2215EB09045699FEF35AE14CC58BE9B7B5FB81319F2800E9D009E6181E3B90ED4CF01
                                                                Function 005467E1 Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 8a64bb7d22fe79e4a6ba6a127545e578cc1dabd6cc02dd890bf2f65a442d7bdd
                                                                • Instruction ID: ed5d0494762b1713d714b6b182cd3bf426ad97ee38150477a7ff2a9b948da22e
                                                                • Opcode Fuzzy Hash: 8a64bb7d22fe79e4a6ba6a127545e578cc1dabd6cc02dd890bf2f65a442d7bdd
                                                                • Instruction Fuzzy Hash: 941104B2E096559FF7118A20CC89BAA7F34FBD1305F1481FBD8485A585D6381D868B22
                                                                Function 005460AE Relevance: 1.3, APIs: 1, Instructions: 49memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 06025c6b92c312f3fa89734b5d4948693cea2a278f307bd66ed6b8d1c090434d
                                                                • Instruction ID: a3b395560470add39c70eb7aa303f4c01e67d77fab3430dd53d01ad7f2ee20d7
                                                                • Opcode Fuzzy Hash: 06025c6b92c312f3fa89734b5d4948693cea2a278f307bd66ed6b8d1c090434d
                                                                • Instruction Fuzzy Hash: E201F5F2D09651AFF3004520CD89BB53E34EBD130AF0480FBE549994C6D67C0DCA8722
                                                                Function 0054586A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00546BBA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2197938893.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2197901846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2198747705.00000000005B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199211207.0000000000636000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000638000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.0000000000725000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2199240295.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 241407fc1974f478d2d1a1522664754b0e2eafcd23f3181f989bc6a9e52b4d69
                                                                • Instruction ID: 5f6085b812e05f626550e2b3e0f01cac49b5ac2b5b499f667bab1e39752fa8b0
                                                                • Opcode Fuzzy Hash: 241407fc1974f478d2d1a1522664754b0e2eafcd23f3181f989bc6a9e52b4d69
                                                                • Instruction Fuzzy Hash: F101F5F2D09651AFF3004520CD89BA53E34FBD131AF0480F6D54999486D27C098A8722
                                                                Function 0089F81C Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 663adbef92004e7fe798528485943526fdc73126d0837aa5aeeeb71627b04e52
                                                                • Instruction ID: 9549e79668c245763e91825656f2ae854866b70fcd1061e315d7544f72dc3727
                                                                • Opcode Fuzzy Hash: 663adbef92004e7fe798528485943526fdc73126d0837aa5aeeeb71627b04e52
                                                                • Instruction Fuzzy Hash: 7BF0B4B1D8461D9EF7245A10DC89BBA7264F700729F1402FAEE0E56380D6B61E908E82
                                                                Function 008AB45A Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 008AB9B1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 0e37247ee947ea62f25ce27d4deef5ec3f3ab246f03bd2d6da71d5a33dfb5266
                                                                • Instruction ID: 53b3c33db6c174b9798c3c6d7942dd0625bed7349397deed42a6a700090867cb
                                                                • Opcode Fuzzy Hash: 0e37247ee947ea62f25ce27d4deef5ec3f3ab246f03bd2d6da71d5a33dfb5266
                                                                • Instruction Fuzzy Hash: A2F09670D0961C9EFB648E11C8987BABB70FB01305F1442EEDA4DA6681D7351EC0DE42
                                                                Function 0089FC68 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 8ab0c20e5944fd58e9577473cddf3beffc8fad310e2f6df3806a14c62092106a
                                                                • Instruction ID: 99f353f8fe01b4e47b4cb0f1a4f25539ee795b45d88b6d5e014da0f5f15bd312
                                                                • Opcode Fuzzy Hash: 8ab0c20e5944fd58e9577473cddf3beffc8fad310e2f6df3806a14c62092106a
                                                                • Instruction Fuzzy Hash: A9F09071E8532D9EEB305910CC49BABB6A0F745329F1441F5DA0DA6280D6751DC08EC2
                                                                Function 0089F8A9 Relevance: 1.3, APIs: 1, Instructions: 31memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 8496a5972e48c861d0bb4d563441466d249349a301bfd5d9b22aa2d2ff206d99
                                                                • Instruction ID: f7c07b33958d3637ceb5b2c8bba86999347838ceac7779c363340a52672d900f
                                                                • Opcode Fuzzy Hash: 8496a5972e48c861d0bb4d563441466d249349a301bfd5d9b22aa2d2ff206d99
                                                                • Instruction Fuzzy Hash: D1F0B471E806299EEB309914DC45BEB77B0F78531DF1401F6DA4D96281D6711EC08EC1
                                                                Function 0089E90C Relevance: 1.3, APIs: 1, Instructions: 19memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0089FCC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2199661491.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_890000_AdobePDF.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: bb2f14a31601c9ecf8540ee0dffc646c6ab548c8448c67aacb59886e7a43b2d3
                                                                • Instruction ID: b7a738f616394a6c1d10d65fcbe09c3becd0ee580a62a37de326f5c4b52a38c5
                                                                • Opcode Fuzzy Hash: bb2f14a31601c9ecf8540ee0dffc646c6ab548c8448c67aacb59886e7a43b2d3
                                                                • Instruction Fuzzy Hash: 45E0CD7098431D8EEB305A104C097657260F70072DF2402F5DF49E52C1D7B00980CEC7