Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-0005082025 pdf.exe

Overview

General Information

Sample name:PO-0005082025 pdf.exe
Analysis ID:1587579
MD5:4881b4d16acf9ff18d4f3177718d1848
SHA1:04b19cbc9904c3971cf9b070db387fa0c5fbd438
SHA256:df33cc8034f776a46c83294a6696df8c997165ce84a0a54edcd7df5eaf919d45
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO-0005082025 pdf.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4881B4D16ACF9FF18D4F3177718D1848)
    • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO-0005082025 pdf.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4881B4D16ACF9FF18D4F3177718D1848)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1386051921.0000000004C70000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1902065030.0000000000EA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000000.00000002.1378377641.0000000003489000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Process Memory Space: PO-0005082025 pdf.exe PID: 7532JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO-0005082025 pdf.exe.4c70000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.PO-0005082025 pdf.exe.4c70000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                4.2.PO-0005082025 pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  4.2.PO-0005082025 pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    0.2.PO-0005082025 pdf.exe.3489970.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 7532, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 7704, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 7532, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 7704, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 7532, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 7704, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: PO-0005082025 pdf.exeVirustotal: Detection: 59%Perma Link
                      Source: PO-0005082025 pdf.exeReversingLabs: Detection: 68%
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1902065030.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: PO-0005082025 pdf.exeJoe Sandbox ML: detected
                      Source: PO-0005082025 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO-0005082025 pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: wntdll.pdbUGP source: PO-0005082025 pdf.exe, 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO-0005082025 pdf.exe, PO-0005082025 pdf.exe, 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1374714582.00000000024CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1902065030.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0042CCC3 NtClose,4_2_0042CCC3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_00FC2C70
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_00FC2DF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC35C0 NtCreateMutant,LdrInitializeThunk,4_2_00FC35C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC4340 NtSetContextThread,4_2_00FC4340
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC4650 NtSuspendThread,4_2_00FC4650
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2AF0 NtWriteFile,4_2_00FC2AF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2AD0 NtReadFile,4_2_00FC2AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2AB0 NtWaitForSingleObject,4_2_00FC2AB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2BF0 NtAllocateVirtualMemory,4_2_00FC2BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2BE0 NtQueryValueKey,4_2_00FC2BE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2BA0 NtEnumerateValueKey,4_2_00FC2BA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2B80 NtQueryInformationFile,4_2_00FC2B80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2B60 NtClose,4_2_00FC2B60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2CF0 NtOpenProcess,4_2_00FC2CF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2CC0 NtQueryVirtualMemory,4_2_00FC2CC0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2CA0 NtQueryInformationToken,4_2_00FC2CA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2C60 NtCreateKey,4_2_00FC2C60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2C00 NtQueryInformationProcess,4_2_00FC2C00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2DD0 NtDelayExecution,4_2_00FC2DD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2DB0 NtEnumerateKey,4_2_00FC2DB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2D30 NtUnmapViewOfSection,4_2_00FC2D30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2D10 NtMapViewOfSection,4_2_00FC2D10
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2D00 NtSetInformationFile,4_2_00FC2D00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2EE0 NtQueueApcThread,4_2_00FC2EE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2EA0 NtAdjustPrivilegesToken,4_2_00FC2EA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2E80 NtReadVirtualMemory,4_2_00FC2E80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2E30 NtWriteVirtualMemory,4_2_00FC2E30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2FE0 NtCreateFile,4_2_00FC2FE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2FB0 NtResumeThread,4_2_00FC2FB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2FA0 NtQuerySection,4_2_00FC2FA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2F90 NtProtectVirtualMemory,4_2_00FC2F90
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2F60 NtCreateProcessEx,4_2_00FC2F60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2F30 NtCreateSection,4_2_00FC2F30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC3090 NtSetValueKey,4_2_00FC3090
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC3010 NtOpenDirectoryObject,4_2_00FC3010
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC39B0 NtGetContextThread,4_2_00FC39B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC3D70 NtOpenThread,4_2_00FC3D70
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC3D10 NtOpenProcessToken,4_2_00FC3D10
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E5E600_2_069E5E60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E2D700_2_069E2D70
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E52A80_2_069E52A8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069EF0D80_2_069EF0D8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069EF0C80_2_069EF0C8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069EDE380_2_069EDE38
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E5E500_2_069E5E50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E2D610_2_069E2D61
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E2A880_2_069E2A88
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E2A780_2_069E2A78
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00401C664_2_00401C66
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004030454_2_00403045
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004030504_2_00403050
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040E8EA4_2_0040E8EA
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040E8F34_2_0040E8F3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040296B4_2_0040296B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004029704_2_00402970
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00404A474_2_00404A47
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0042F2B34_2_0042F2B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004014404_2_00401440
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004034204_2_00403420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0041056A4_2_0041056A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004105734_2_00410573
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004025C64_2_004025C6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004025D04_2_004025D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00402E2E4_2_00402E2E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00402E304_2_00402E30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00416F1E4_2_00416F1E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00416F234_2_00416F23
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004107934_2_00410793
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040E79A4_2_0040E79A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040E7A34_2_0040E7A3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102A1184_2_0102A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010181584_2_01018158
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010441A24_2_010441A2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010501AA4_2_010501AA
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010481CC4_2_010481CC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010220004_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F801004_2_00F80100
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104A3524_2_0104A352
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010503E64_2_010503E6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E3F04_2_00F9E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010302744_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010102C04_2_010102C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010505914_2_01050591
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010344204_2_01034420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010424464_2_01042446
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F905354_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103E4F64_2_0103E4F6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAC6E04_2_00FAC6E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8C7C04_2_00F8C7C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F907704_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB47504_2_00FB4750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE8F04_2_00FBE8F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F768B84_2_00F768B8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0105A9A64_2_0105A9A6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9A8404_2_00F9A840
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F928404_2_00F92840
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A04_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA69624_2_00FA6962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104AB404_2_0104AB40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA804_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01046BD74_2_01046BD7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80CF24_2_00F80CF2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102CD1F4_2_0102CD1F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90C004_2_00F90C00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8ADE04_2_00F8ADE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA8DBF4_2_00FA8DBF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030CB54_2_01030CB5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9AD004_2_00F9AD00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01032F304_2_01032F30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01004F404_2_01004F40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2E904_2_00FA2E90
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90E594_2_00F90E59
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100EFA04_2_0100EFA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9CFE04_2_00F9CFE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104EE264_2_0104EE26
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F82FC84_2_00F82FC8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104CE934_2_0104CE93
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB0F304_2_00FB0F30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD2F284_2_00FD2F28
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104EEDB4_2_0104EEDB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F970C04_2_00F970C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0105B16B4_2_0105B16B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9B1B04_2_00F9B1B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7F1724_2_00F7F172
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC516C4_2_00FC516C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103F0CC4_2_0103F0CC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104F0E04_2_0104F0E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010470E94_2_010470E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104132D4_2_0104132D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAB2C04_2_00FAB2C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F952A04_2_00F952A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD739A4_2_00FD739A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7D34C4_2_00F7D34C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010312ED4_2_010312ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010475714_2_01047571
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F814604_2_00F81460
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102D5B04_2_0102D5B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010595C34_2_010595C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104F43F4_2_0104F43F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104F7B04_2_0104F7B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD56304_2_00FD5630
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010416CC4_2_010416CC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010259104_2_01025910
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F938E04_2_00F938E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFD8004_2_00FFD800
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F999504_2_00F99950
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAB9504_2_00FAB950
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD5AA04_2_00FD5AA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104FB764_2_0104FB76
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01005BF04_2_01005BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FCDBF94_2_00FCDBF9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01047A464_2_01047A46
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104FA494_2_0104FA49
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01003A6C4_2_01003A6C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAFB804_2_00FAFB80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01031AA34_2_01031AA3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102DAAC4_2_0102DAAC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103DAC64_2_0103DAC6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01041D5A4_2_01041D5A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01047D734_2_01047D73
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01009C324_2_01009C32
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAFDC04_2_00FAFDC0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F93D404_2_00F93D40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104FCF24_2_0104FCF2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104FF094_2_0104FF09
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F99EB04_2_00F99EB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104FFB14_2_0104FFB1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F91F924_2_00F91F92
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 00FD7E54 appears 110 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 00F7B970 appears 280 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 00FC5130 appears 58 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 00FFEA12 appears 86 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 0100F290 appears 105 times
                      Source: PO-0005082025 pdf.exeBinary or memory string: OriginalFilename vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1388178339.0000000006A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1378377641.0000000003489000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1378377641.0000000003489000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1373582906.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1386051921.0000000004C70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000000.1357895744.0000000000132000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIVGw.exe@ vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000004.00000002.1902184115.000000000107D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exeBinary or memory string: OriginalFilenameIVGw.exe@ vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO-0005082025 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@6/6@0/0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0005082025 pdf.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovababr3.iyv.ps1Jump to behavior
                      Source: PO-0005082025 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PO-0005082025 pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: PO-0005082025 pdf.exeVirustotal: Detection: 59%
                      Source: PO-0005082025 pdf.exeReversingLabs: Detection: 68%
                      Source: unknownProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: PO-0005082025 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO-0005082025 pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: wntdll.pdbUGP source: PO-0005082025 pdf.exe, 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO-0005082025 pdf.exe, PO-0005082025 pdf.exe, 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069E63A9 push 74069D5Eh; ret 0_2_069E63B5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_069EDBEA push ebp; iretd 0_2_069EDBEB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004178CA push edx; iretd 4_2_004178CD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004150EB push esp; iretd 4_2_0041514F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040D8B6 push ecx; ret 4_2_0040D8B7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00415119 push esp; iretd 4_2_0041514F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00424A53 push 3D550B4Fh; ret 4_2_00424A6B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00417A3B push ebx; iretd 4_2_00417A3C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00423D13 push edi; retf 4_2_00423D1E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00423DBE push esp; iretd 4_2_00423DE4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0040AEDA push FFFFFF84h; retf 4_2_0040AEDC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_004036A0 push eax; ret 4_2_004036A2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F5225F pushad ; ret 4_2_00F527F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F527FA pushad ; ret 4_2_00F527F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F5283D push eax; iretd 4_2_00F52858
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F809AD push ecx; mov dword ptr [esp], ecx4_2_00F809B6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F51368 push eax; iretd 4_2_00F51369
                      Source: PO-0005082025 pdf.exeStatic PE information: section name: .text entropy: 7.759221001325472

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PO-0005082025 pdf.exe PID: 7532, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 990000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 7350000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 8350000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 8500000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 9500000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC096E rdtsc 4_2_00FC096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5467Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1835Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeAPI coverage: 0.6 %
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe TID: 7560Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe TID: 7720Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC096E rdtsc 4_2_00FC096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00417EB3 LdrLoadDll,4_2_00417EB3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7C0F0 mov eax, dword ptr fs:[00000030h]4_2_00F7C0F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC20F0 mov ecx, dword ptr fs:[00000030h]4_2_00FC20F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov eax, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov ecx, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov eax, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov eax, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov ecx, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov eax, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov eax, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov ecx, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov eax, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E10E mov ecx, dword ptr fs:[00000030h]4_2_0102E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01040115 mov eax, dword ptr fs:[00000030h]4_2_01040115
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F880E9 mov eax, dword ptr fs:[00000030h]4_2_00F880E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7A0E3 mov ecx, dword ptr fs:[00000030h]4_2_00F7A0E3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102A118 mov ecx, dword ptr fs:[00000030h]4_2_0102A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102A118 mov eax, dword ptr fs:[00000030h]4_2_0102A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102A118 mov eax, dword ptr fs:[00000030h]4_2_0102A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102A118 mov eax, dword ptr fs:[00000030h]4_2_0102A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01014144 mov eax, dword ptr fs:[00000030h]4_2_01014144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01014144 mov eax, dword ptr fs:[00000030h]4_2_01014144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01014144 mov ecx, dword ptr fs:[00000030h]4_2_01014144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01014144 mov eax, dword ptr fs:[00000030h]4_2_01014144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01014144 mov eax, dword ptr fs:[00000030h]4_2_01014144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F780A0 mov eax, dword ptr fs:[00000030h]4_2_00F780A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01018158 mov eax, dword ptr fs:[00000030h]4_2_01018158
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054164 mov eax, dword ptr fs:[00000030h]4_2_01054164
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054164 mov eax, dword ptr fs:[00000030h]4_2_01054164
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8208A mov eax, dword ptr fs:[00000030h]4_2_00F8208A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01024180 mov eax, dword ptr fs:[00000030h]4_2_01024180
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01024180 mov eax, dword ptr fs:[00000030h]4_2_01024180
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAC073 mov eax, dword ptr fs:[00000030h]4_2_00FAC073
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103C188 mov eax, dword ptr fs:[00000030h]4_2_0103C188
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103C188 mov eax, dword ptr fs:[00000030h]4_2_0103C188
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100019F mov eax, dword ptr fs:[00000030h]4_2_0100019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100019F mov eax, dword ptr fs:[00000030h]4_2_0100019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100019F mov eax, dword ptr fs:[00000030h]4_2_0100019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100019F mov eax, dword ptr fs:[00000030h]4_2_0100019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F82050 mov eax, dword ptr fs:[00000030h]4_2_00F82050
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010461C3 mov eax, dword ptr fs:[00000030h]4_2_010461C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010461C3 mov eax, dword ptr fs:[00000030h]4_2_010461C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7A020 mov eax, dword ptr fs:[00000030h]4_2_00F7A020
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7C020 mov eax, dword ptr fs:[00000030h]4_2_00F7C020
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010561E5 mov eax, dword ptr fs:[00000030h]4_2_010561E5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E016 mov eax, dword ptr fs:[00000030h]4_2_00F9E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E016 mov eax, dword ptr fs:[00000030h]4_2_00F9E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E016 mov eax, dword ptr fs:[00000030h]4_2_00F9E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E016 mov eax, dword ptr fs:[00000030h]4_2_00F9E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01004000 mov ecx, dword ptr fs:[00000030h]4_2_01004000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01022000 mov eax, dword ptr fs:[00000030h]4_2_01022000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB01F8 mov eax, dword ptr fs:[00000030h]4_2_00FB01F8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE1D0 mov eax, dword ptr fs:[00000030h]4_2_00FFE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE1D0 mov eax, dword ptr fs:[00000030h]4_2_00FFE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE1D0 mov ecx, dword ptr fs:[00000030h]4_2_00FFE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE1D0 mov eax, dword ptr fs:[00000030h]4_2_00FFE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE1D0 mov eax, dword ptr fs:[00000030h]4_2_00FFE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01016030 mov eax, dword ptr fs:[00000030h]4_2_01016030
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006050 mov eax, dword ptr fs:[00000030h]4_2_01006050
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7A197 mov eax, dword ptr fs:[00000030h]4_2_00F7A197
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7A197 mov eax, dword ptr fs:[00000030h]4_2_00F7A197
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7A197 mov eax, dword ptr fs:[00000030h]4_2_00F7A197
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC0185 mov eax, dword ptr fs:[00000030h]4_2_00FC0185
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7C156 mov eax, dword ptr fs:[00000030h]4_2_00F7C156
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010180A8 mov eax, dword ptr fs:[00000030h]4_2_010180A8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86154 mov eax, dword ptr fs:[00000030h]4_2_00F86154
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86154 mov eax, dword ptr fs:[00000030h]4_2_00F86154
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010460B8 mov eax, dword ptr fs:[00000030h]4_2_010460B8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010460B8 mov ecx, dword ptr fs:[00000030h]4_2_010460B8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010020DE mov eax, dword ptr fs:[00000030h]4_2_010020DE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB0124 mov eax, dword ptr fs:[00000030h]4_2_00FB0124
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010060E0 mov eax, dword ptr fs:[00000030h]4_2_010060E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F902E1 mov eax, dword ptr fs:[00000030h]4_2_00F902E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F902E1 mov eax, dword ptr fs:[00000030h]4_2_00F902E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F902E1 mov eax, dword ptr fs:[00000030h]4_2_00F902E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01058324 mov eax, dword ptr fs:[00000030h]4_2_01058324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01058324 mov ecx, dword ptr fs:[00000030h]4_2_01058324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01058324 mov eax, dword ptr fs:[00000030h]4_2_01058324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01058324 mov eax, dword ptr fs:[00000030h]4_2_01058324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A2C3 mov eax, dword ptr fs:[00000030h]4_2_00F8A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A2C3 mov eax, dword ptr fs:[00000030h]4_2_00F8A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A2C3 mov eax, dword ptr fs:[00000030h]4_2_00F8A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A2C3 mov eax, dword ptr fs:[00000030h]4_2_00F8A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A2C3 mov eax, dword ptr fs:[00000030h]4_2_00F8A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01002349 mov eax, dword ptr fs:[00000030h]4_2_01002349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0105634F mov eax, dword ptr fs:[00000030h]4_2_0105634F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01028350 mov ecx, dword ptr fs:[00000030h]4_2_01028350
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104A352 mov eax, dword ptr fs:[00000030h]4_2_0104A352
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F902A0 mov eax, dword ptr fs:[00000030h]4_2_00F902A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F902A0 mov eax, dword ptr fs:[00000030h]4_2_00F902A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100035C mov eax, dword ptr fs:[00000030h]4_2_0100035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100035C mov eax, dword ptr fs:[00000030h]4_2_0100035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100035C mov eax, dword ptr fs:[00000030h]4_2_0100035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100035C mov ecx, dword ptr fs:[00000030h]4_2_0100035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100035C mov eax, dword ptr fs:[00000030h]4_2_0100035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100035C mov eax, dword ptr fs:[00000030h]4_2_0100035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102437C mov eax, dword ptr fs:[00000030h]4_2_0102437C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE284 mov eax, dword ptr fs:[00000030h]4_2_00FBE284
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE284 mov eax, dword ptr fs:[00000030h]4_2_00FBE284
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84260 mov eax, dword ptr fs:[00000030h]4_2_00F84260
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84260 mov eax, dword ptr fs:[00000030h]4_2_00F84260
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84260 mov eax, dword ptr fs:[00000030h]4_2_00F84260
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7826B mov eax, dword ptr fs:[00000030h]4_2_00F7826B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86259 mov eax, dword ptr fs:[00000030h]4_2_00F86259
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7A250 mov eax, dword ptr fs:[00000030h]4_2_00F7A250
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010063C0 mov eax, dword ptr fs:[00000030h]4_2_010063C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7823B mov eax, dword ptr fs:[00000030h]4_2_00F7823B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103C3CD mov eax, dword ptr fs:[00000030h]4_2_0103C3CD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010243D4 mov eax, dword ptr fs:[00000030h]4_2_010243D4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010243D4 mov eax, dword ptr fs:[00000030h]4_2_010243D4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E3DB mov eax, dword ptr fs:[00000030h]4_2_0102E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E3DB mov eax, dword ptr fs:[00000030h]4_2_0102E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E3DB mov ecx, dword ptr fs:[00000030h]4_2_0102E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102E3DB mov eax, dword ptr fs:[00000030h]4_2_0102E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB63FF mov eax, dword ptr fs:[00000030h]4_2_00FB63FF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E3F0 mov eax, dword ptr fs:[00000030h]4_2_00F9E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E3F0 mov eax, dword ptr fs:[00000030h]4_2_00F9E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E3F0 mov eax, dword ptr fs:[00000030h]4_2_00F9E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F903E9 mov eax, dword ptr fs:[00000030h]4_2_00F903E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F883C0 mov eax, dword ptr fs:[00000030h]4_2_00F883C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F883C0 mov eax, dword ptr fs:[00000030h]4_2_00F883C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F883C0 mov eax, dword ptr fs:[00000030h]4_2_00F883C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F883C0 mov eax, dword ptr fs:[00000030h]4_2_00F883C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A3C0 mov eax, dword ptr fs:[00000030h]4_2_00F8A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A3C0 mov eax, dword ptr fs:[00000030h]4_2_00F8A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A3C0 mov eax, dword ptr fs:[00000030h]4_2_00F8A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A3C0 mov eax, dword ptr fs:[00000030h]4_2_00F8A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A3C0 mov eax, dword ptr fs:[00000030h]4_2_00F8A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A3C0 mov eax, dword ptr fs:[00000030h]4_2_00F8A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01008243 mov eax, dword ptr fs:[00000030h]4_2_01008243
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01008243 mov ecx, dword ptr fs:[00000030h]4_2_01008243
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103A250 mov eax, dword ptr fs:[00000030h]4_2_0103A250
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103A250 mov eax, dword ptr fs:[00000030h]4_2_0103A250
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0105625D mov eax, dword ptr fs:[00000030h]4_2_0105625D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F78397 mov eax, dword ptr fs:[00000030h]4_2_00F78397
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F78397 mov eax, dword ptr fs:[00000030h]4_2_00F78397
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F78397 mov eax, dword ptr fs:[00000030h]4_2_00F78397
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA438F mov eax, dword ptr fs:[00000030h]4_2_00FA438F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA438F mov eax, dword ptr fs:[00000030h]4_2_00FA438F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01030274 mov eax, dword ptr fs:[00000030h]4_2_01030274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7E388 mov eax, dword ptr fs:[00000030h]4_2_00F7E388
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7E388 mov eax, dword ptr fs:[00000030h]4_2_00F7E388
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7E388 mov eax, dword ptr fs:[00000030h]4_2_00F7E388
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01000283 mov eax, dword ptr fs:[00000030h]4_2_01000283
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01000283 mov eax, dword ptr fs:[00000030h]4_2_01000283
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01000283 mov eax, dword ptr fs:[00000030h]4_2_01000283
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010162A0 mov eax, dword ptr fs:[00000030h]4_2_010162A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010162A0 mov ecx, dword ptr fs:[00000030h]4_2_010162A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010162A0 mov eax, dword ptr fs:[00000030h]4_2_010162A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010162A0 mov eax, dword ptr fs:[00000030h]4_2_010162A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010162A0 mov eax, dword ptr fs:[00000030h]4_2_010162A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010162A0 mov eax, dword ptr fs:[00000030h]4_2_010162A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010562D6 mov eax, dword ptr fs:[00000030h]4_2_010562D6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7C310 mov ecx, dword ptr fs:[00000030h]4_2_00F7C310
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA0310 mov ecx, dword ptr fs:[00000030h]4_2_00FA0310
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA30B mov eax, dword ptr fs:[00000030h]4_2_00FBA30B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA30B mov eax, dword ptr fs:[00000030h]4_2_00FBA30B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA30B mov eax, dword ptr fs:[00000030h]4_2_00FBA30B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01016500 mov eax, dword ptr fs:[00000030h]4_2_01016500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054500 mov eax, dword ptr fs:[00000030h]4_2_01054500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F804E5 mov ecx, dword ptr fs:[00000030h]4_2_00F804E5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB44B0 mov ecx, dword ptr fs:[00000030h]4_2_00FB44B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F864AB mov eax, dword ptr fs:[00000030h]4_2_00F864AB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAA470 mov eax, dword ptr fs:[00000030h]4_2_00FAA470
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAA470 mov eax, dword ptr fs:[00000030h]4_2_00FAA470
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAA470 mov eax, dword ptr fs:[00000030h]4_2_00FAA470
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA245A mov eax, dword ptr fs:[00000030h]4_2_00FA245A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010005A7 mov eax, dword ptr fs:[00000030h]4_2_010005A7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010005A7 mov eax, dword ptr fs:[00000030h]4_2_010005A7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010005A7 mov eax, dword ptr fs:[00000030h]4_2_010005A7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7645D mov eax, dword ptr fs:[00000030h]4_2_00F7645D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE443 mov eax, dword ptr fs:[00000030h]4_2_00FBE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA430 mov eax, dword ptr fs:[00000030h]4_2_00FBA430
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7C427 mov eax, dword ptr fs:[00000030h]4_2_00F7C427
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7E420 mov eax, dword ptr fs:[00000030h]4_2_00F7E420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7E420 mov eax, dword ptr fs:[00000030h]4_2_00F7E420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7E420 mov eax, dword ptr fs:[00000030h]4_2_00F7E420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB8402 mov eax, dword ptr fs:[00000030h]4_2_00FB8402
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB8402 mov eax, dword ptr fs:[00000030h]4_2_00FB8402
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB8402 mov eax, dword ptr fs:[00000030h]4_2_00FB8402
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC5ED mov eax, dword ptr fs:[00000030h]4_2_00FBC5ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC5ED mov eax, dword ptr fs:[00000030h]4_2_00FBC5ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F825E0 mov eax, dword ptr fs:[00000030h]4_2_00F825E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FAE5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01006420 mov eax, dword ptr fs:[00000030h]4_2_01006420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F865D0 mov eax, dword ptr fs:[00000030h]4_2_00F865D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA5D0 mov eax, dword ptr fs:[00000030h]4_2_00FBA5D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA5D0 mov eax, dword ptr fs:[00000030h]4_2_00FBA5D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE5CF mov eax, dword ptr fs:[00000030h]4_2_00FBE5CF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE5CF mov eax, dword ptr fs:[00000030h]4_2_00FBE5CF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA45B1 mov eax, dword ptr fs:[00000030h]4_2_00FA45B1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA45B1 mov eax, dword ptr fs:[00000030h]4_2_00FA45B1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103A456 mov eax, dword ptr fs:[00000030h]4_2_0103A456
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100C460 mov ecx, dword ptr fs:[00000030h]4_2_0100C460
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBE59C mov eax, dword ptr fs:[00000030h]4_2_00FBE59C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB4588 mov eax, dword ptr fs:[00000030h]4_2_00FB4588
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F82582 mov eax, dword ptr fs:[00000030h]4_2_00F82582
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F82582 mov ecx, dword ptr fs:[00000030h]4_2_00F82582
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB656A mov eax, dword ptr fs:[00000030h]4_2_00FB656A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB656A mov eax, dword ptr fs:[00000030h]4_2_00FB656A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB656A mov eax, dword ptr fs:[00000030h]4_2_00FB656A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0103A49A mov eax, dword ptr fs:[00000030h]4_2_0103A49A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88550 mov eax, dword ptr fs:[00000030h]4_2_00F88550
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88550 mov eax, dword ptr fs:[00000030h]4_2_00F88550
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100A4B0 mov eax, dword ptr fs:[00000030h]4_2_0100A4B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE53E mov eax, dword ptr fs:[00000030h]4_2_00FAE53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE53E mov eax, dword ptr fs:[00000030h]4_2_00FAE53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE53E mov eax, dword ptr fs:[00000030h]4_2_00FAE53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE53E mov eax, dword ptr fs:[00000030h]4_2_00FAE53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE53E mov eax, dword ptr fs:[00000030h]4_2_00FAE53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90535 mov eax, dword ptr fs:[00000030h]4_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90535 mov eax, dword ptr fs:[00000030h]4_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90535 mov eax, dword ptr fs:[00000030h]4_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90535 mov eax, dword ptr fs:[00000030h]4_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90535 mov eax, dword ptr fs:[00000030h]4_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90535 mov eax, dword ptr fs:[00000030h]4_2_00F90535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE6F2 mov eax, dword ptr fs:[00000030h]4_2_00FFE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE6F2 mov eax, dword ptr fs:[00000030h]4_2_00FFE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE6F2 mov eax, dword ptr fs:[00000030h]4_2_00FFE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE6F2 mov eax, dword ptr fs:[00000030h]4_2_00FFE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA6C7 mov ebx, dword ptr fs:[00000030h]4_2_00FBA6C7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA6C7 mov eax, dword ptr fs:[00000030h]4_2_00FBA6C7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB66B0 mov eax, dword ptr fs:[00000030h]4_2_00FB66B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01004755 mov eax, dword ptr fs:[00000030h]4_2_01004755
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC6A6 mov eax, dword ptr fs:[00000030h]4_2_00FBC6A6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100E75D mov eax, dword ptr fs:[00000030h]4_2_0100E75D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84690 mov eax, dword ptr fs:[00000030h]4_2_00F84690
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84690 mov eax, dword ptr fs:[00000030h]4_2_00F84690
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102678E mov eax, dword ptr fs:[00000030h]4_2_0102678E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB2674 mov eax, dword ptr fs:[00000030h]4_2_00FB2674
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA660 mov eax, dword ptr fs:[00000030h]4_2_00FBA660
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA660 mov eax, dword ptr fs:[00000030h]4_2_00FBA660
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010347A0 mov eax, dword ptr fs:[00000030h]4_2_010347A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9C640 mov eax, dword ptr fs:[00000030h]4_2_00F9C640
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010007C3 mov eax, dword ptr fs:[00000030h]4_2_010007C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8262C mov eax, dword ptr fs:[00000030h]4_2_00F8262C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB6620 mov eax, dword ptr fs:[00000030h]4_2_00FB6620
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB8620 mov eax, dword ptr fs:[00000030h]4_2_00FB8620
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9E627 mov eax, dword ptr fs:[00000030h]4_2_00F9E627
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100E7E1 mov eax, dword ptr fs:[00000030h]4_2_0100E7E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2619 mov eax, dword ptr fs:[00000030h]4_2_00FC2619
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F9260B mov eax, dword ptr fs:[00000030h]4_2_00F9260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE609 mov eax, dword ptr fs:[00000030h]4_2_00FFE609
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F847FB mov eax, dword ptr fs:[00000030h]4_2_00F847FB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F847FB mov eax, dword ptr fs:[00000030h]4_2_00F847FB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA27ED mov eax, dword ptr fs:[00000030h]4_2_00FA27ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA27ED mov eax, dword ptr fs:[00000030h]4_2_00FA27ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA27ED mov eax, dword ptr fs:[00000030h]4_2_00FA27ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8C7C0 mov eax, dword ptr fs:[00000030h]4_2_00F8C7C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F807AF mov eax, dword ptr fs:[00000030h]4_2_00F807AF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104866E mov eax, dword ptr fs:[00000030h]4_2_0104866E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104866E mov eax, dword ptr fs:[00000030h]4_2_0104866E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88770 mov eax, dword ptr fs:[00000030h]4_2_00F88770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90770 mov eax, dword ptr fs:[00000030h]4_2_00F90770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80750 mov eax, dword ptr fs:[00000030h]4_2_00F80750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2750 mov eax, dword ptr fs:[00000030h]4_2_00FC2750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC2750 mov eax, dword ptr fs:[00000030h]4_2_00FC2750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB674D mov esi, dword ptr fs:[00000030h]4_2_00FB674D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB674D mov eax, dword ptr fs:[00000030h]4_2_00FB674D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB674D mov eax, dword ptr fs:[00000030h]4_2_00FB674D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB273C mov eax, dword ptr fs:[00000030h]4_2_00FB273C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB273C mov ecx, dword ptr fs:[00000030h]4_2_00FB273C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB273C mov eax, dword ptr fs:[00000030h]4_2_00FB273C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFC730 mov eax, dword ptr fs:[00000030h]4_2_00FFC730
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC720 mov eax, dword ptr fs:[00000030h]4_2_00FBC720
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC720 mov eax, dword ptr fs:[00000030h]4_2_00FBC720
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80710 mov eax, dword ptr fs:[00000030h]4_2_00F80710
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB0710 mov eax, dword ptr fs:[00000030h]4_2_00FB0710
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010006F1 mov eax, dword ptr fs:[00000030h]4_2_010006F1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010006F1 mov eax, dword ptr fs:[00000030h]4_2_010006F1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC700 mov eax, dword ptr fs:[00000030h]4_2_00FBC700
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC8F9 mov eax, dword ptr fs:[00000030h]4_2_00FBC8F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBC8F9 mov eax, dword ptr fs:[00000030h]4_2_00FBC8F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100C912 mov eax, dword ptr fs:[00000030h]4_2_0100C912
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100892A mov eax, dword ptr fs:[00000030h]4_2_0100892A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0101892B mov eax, dword ptr fs:[00000030h]4_2_0101892B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAE8C0 mov eax, dword ptr fs:[00000030h]4_2_00FAE8C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054940 mov eax, dword ptr fs:[00000030h]4_2_01054940
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01000946 mov eax, dword ptr fs:[00000030h]4_2_01000946
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01024978 mov eax, dword ptr fs:[00000030h]4_2_01024978
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01024978 mov eax, dword ptr fs:[00000030h]4_2_01024978
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100C97C mov eax, dword ptr fs:[00000030h]4_2_0100C97C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80887 mov eax, dword ptr fs:[00000030h]4_2_00F80887
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84859 mov eax, dword ptr fs:[00000030h]4_2_00F84859
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F84859 mov eax, dword ptr fs:[00000030h]4_2_00F84859
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB0854 mov eax, dword ptr fs:[00000030h]4_2_00FB0854
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010089B3 mov esi, dword ptr fs:[00000030h]4_2_010089B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010089B3 mov eax, dword ptr fs:[00000030h]4_2_010089B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010089B3 mov eax, dword ptr fs:[00000030h]4_2_010089B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F92840 mov ecx, dword ptr fs:[00000030h]4_2_00F92840
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010169C0 mov eax, dword ptr fs:[00000030h]4_2_010169C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBA830 mov eax, dword ptr fs:[00000030h]4_2_00FBA830
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2835 mov eax, dword ptr fs:[00000030h]4_2_00FA2835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2835 mov eax, dword ptr fs:[00000030h]4_2_00FA2835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2835 mov eax, dword ptr fs:[00000030h]4_2_00FA2835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2835 mov ecx, dword ptr fs:[00000030h]4_2_00FA2835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2835 mov eax, dword ptr fs:[00000030h]4_2_00FA2835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA2835 mov eax, dword ptr fs:[00000030h]4_2_00FA2835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104A9D3 mov eax, dword ptr fs:[00000030h]4_2_0104A9D3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100E9E0 mov eax, dword ptr fs:[00000030h]4_2_0100E9E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB29F9 mov eax, dword ptr fs:[00000030h]4_2_00FB29F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB29F9 mov eax, dword ptr fs:[00000030h]4_2_00FB29F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100C810 mov eax, dword ptr fs:[00000030h]4_2_0100C810
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A9D0 mov eax, dword ptr fs:[00000030h]4_2_00F8A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A9D0 mov eax, dword ptr fs:[00000030h]4_2_00F8A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A9D0 mov eax, dword ptr fs:[00000030h]4_2_00F8A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A9D0 mov eax, dword ptr fs:[00000030h]4_2_00F8A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A9D0 mov eax, dword ptr fs:[00000030h]4_2_00F8A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8A9D0 mov eax, dword ptr fs:[00000030h]4_2_00F8A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB49D0 mov eax, dword ptr fs:[00000030h]4_2_00FB49D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102483A mov eax, dword ptr fs:[00000030h]4_2_0102483A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102483A mov eax, dword ptr fs:[00000030h]4_2_0102483A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F809AD mov eax, dword ptr fs:[00000030h]4_2_00F809AD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F809AD mov eax, dword ptr fs:[00000030h]4_2_00F809AD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F929A0 mov eax, dword ptr fs:[00000030h]4_2_00F929A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01016870 mov eax, dword ptr fs:[00000030h]4_2_01016870
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01016870 mov eax, dword ptr fs:[00000030h]4_2_01016870
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100E872 mov eax, dword ptr fs:[00000030h]4_2_0100E872
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100E872 mov eax, dword ptr fs:[00000030h]4_2_0100E872
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC096E mov eax, dword ptr fs:[00000030h]4_2_00FC096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC096E mov edx, dword ptr fs:[00000030h]4_2_00FC096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FC096E mov eax, dword ptr fs:[00000030h]4_2_00FC096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA6962 mov eax, dword ptr fs:[00000030h]4_2_00FA6962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA6962 mov eax, dword ptr fs:[00000030h]4_2_00FA6962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA6962 mov eax, dword ptr fs:[00000030h]4_2_00FA6962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100C89D mov eax, dword ptr fs:[00000030h]4_2_0100C89D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_010508C0 mov eax, dword ptr fs:[00000030h]4_2_010508C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104A8E4 mov eax, dword ptr fs:[00000030h]4_2_0104A8E4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F78918 mov eax, dword ptr fs:[00000030h]4_2_00F78918
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F78918 mov eax, dword ptr fs:[00000030h]4_2_00F78918
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE908 mov eax, dword ptr fs:[00000030h]4_2_00FFE908
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFE908 mov eax, dword ptr fs:[00000030h]4_2_00FFE908
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054B00 mov eax, dword ptr fs:[00000030h]4_2_01054B00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBAAEE mov eax, dword ptr fs:[00000030h]4_2_00FBAAEE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBAAEE mov eax, dword ptr fs:[00000030h]4_2_00FBAAEE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80AD0 mov eax, dword ptr fs:[00000030h]4_2_00F80AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB4AD0 mov eax, dword ptr fs:[00000030h]4_2_00FB4AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB4AD0 mov eax, dword ptr fs:[00000030h]4_2_00FB4AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01048B28 mov eax, dword ptr fs:[00000030h]4_2_01048B28
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01048B28 mov eax, dword ptr fs:[00000030h]4_2_01048B28
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD6ACC mov eax, dword ptr fs:[00000030h]4_2_00FD6ACC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD6ACC mov eax, dword ptr fs:[00000030h]4_2_00FD6ACC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD6ACC mov eax, dword ptr fs:[00000030h]4_2_00FD6ACC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01028B42 mov eax, dword ptr fs:[00000030h]4_2_01028B42
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01016B40 mov eax, dword ptr fs:[00000030h]4_2_01016B40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01016B40 mov eax, dword ptr fs:[00000030h]4_2_01016B40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0104AB40 mov eax, dword ptr fs:[00000030h]4_2_0104AB40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01034B4B mov eax, dword ptr fs:[00000030h]4_2_01034B4B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01034B4B mov eax, dword ptr fs:[00000030h]4_2_01034B4B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102EB50 mov eax, dword ptr fs:[00000030h]4_2_0102EB50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01052B57 mov eax, dword ptr fs:[00000030h]4_2_01052B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01052B57 mov eax, dword ptr fs:[00000030h]4_2_01052B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01052B57 mov eax, dword ptr fs:[00000030h]4_2_01052B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01052B57 mov eax, dword ptr fs:[00000030h]4_2_01052B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88AA0 mov eax, dword ptr fs:[00000030h]4_2_00F88AA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88AA0 mov eax, dword ptr fs:[00000030h]4_2_00F88AA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FD6AA4 mov eax, dword ptr fs:[00000030h]4_2_00FD6AA4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FB8A90 mov edx, dword ptr fs:[00000030h]4_2_00FB8A90
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F8EA80 mov eax, dword ptr fs:[00000030h]4_2_00F8EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFCA72 mov eax, dword ptr fs:[00000030h]4_2_00FFCA72
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FFCA72 mov eax, dword ptr fs:[00000030h]4_2_00FFCA72
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBCA6F mov eax, dword ptr fs:[00000030h]4_2_00FBCA6F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBCA6F mov eax, dword ptr fs:[00000030h]4_2_00FBCA6F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBCA6F mov eax, dword ptr fs:[00000030h]4_2_00FBCA6F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90A5B mov eax, dword ptr fs:[00000030h]4_2_00F90A5B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90A5B mov eax, dword ptr fs:[00000030h]4_2_00F90A5B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F86A50 mov eax, dword ptr fs:[00000030h]4_2_00F86A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01034BB0 mov eax, dword ptr fs:[00000030h]4_2_01034BB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01034BB0 mov eax, dword ptr fs:[00000030h]4_2_01034BB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBCA38 mov eax, dword ptr fs:[00000030h]4_2_00FBCA38
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA4A35 mov eax, dword ptr fs:[00000030h]4_2_00FA4A35
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA4A35 mov eax, dword ptr fs:[00000030h]4_2_00FA4A35
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102EBD0 mov eax, dword ptr fs:[00000030h]4_2_0102EBD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAEA2E mov eax, dword ptr fs:[00000030h]4_2_00FAEA2E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FBCA24 mov eax, dword ptr fs:[00000030h]4_2_00FBCA24
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100CBF0 mov eax, dword ptr fs:[00000030h]4_2_0100CBF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FAEBFC mov eax, dword ptr fs:[00000030h]4_2_00FAEBFC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88BF0 mov eax, dword ptr fs:[00000030h]4_2_00F88BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88BF0 mov eax, dword ptr fs:[00000030h]4_2_00F88BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F88BF0 mov eax, dword ptr fs:[00000030h]4_2_00F88BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0100CA11 mov eax, dword ptr fs:[00000030h]4_2_0100CA11
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA0BCB mov eax, dword ptr fs:[00000030h]4_2_00FA0BCB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA0BCB mov eax, dword ptr fs:[00000030h]4_2_00FA0BCB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00FA0BCB mov eax, dword ptr fs:[00000030h]4_2_00FA0BCB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80BCD mov eax, dword ptr fs:[00000030h]4_2_00F80BCD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80BCD mov eax, dword ptr fs:[00000030h]4_2_00F80BCD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F80BCD mov eax, dword ptr fs:[00000030h]4_2_00F80BCD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90BBE mov eax, dword ptr fs:[00000030h]4_2_00F90BBE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F90BBE mov eax, dword ptr fs:[00000030h]4_2_00F90BBE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_0102EA60 mov eax, dword ptr fs:[00000030h]4_2_0102EA60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_01054A80 mov eax, dword ptr fs:[00000030h]4_2_01054A80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F7CB7E mov eax, dword ptr fs:[00000030h]4_2_00F7CB7E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 4_2_00F78B50 mov eax, dword ptr fs:[00000030h]4_2_00F78B50
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory written: C:\Users\user\Desktop\PO-0005082025 pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Users\user\Desktop\PO-0005082025 pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1902065030.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.4c70000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.4c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.3489970.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1386051921.0000000004C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1378377641.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1902065030.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.4c70000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.4c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.3489970.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1386051921.0000000004C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1378377641.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping2
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials12
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587579 Sample: PO-0005082025 pdf.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 96 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected PureLog Stealer 2->22 24 Yara detected FormBook 2->24 26 5 other signatures 2->26 7 PO-0005082025 pdf.exe 4 2->7         started        process3 file4 18 C:\Users\user\...\PO-0005082025 pdf.exe.log, ASCII 7->18 dropped 28 Adds a directory exclusion to Windows Defender 7->28 30 Injects a PE file into a foreign processes 7->30 11 powershell.exe 23 7->11         started        14 PO-0005082025 pdf.exe 7->14         started        signatures5 process6 signatures7 32 Loading BitLocker PowerShell Module 11->32 16 conhost.exe 11->16         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO-0005082025 pdf.exe60%VirustotalBrowse
                      PO-0005082025 pdf.exe68%ReversingLabsWin32.Backdoor.FormBook
                      PO-0005082025 pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      s-part-0017.t-0009.t-msedge.net
                      		13.107.246.45
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO-0005082025 pdf.exe, 00000000.00000002.1374714582.00000000024CD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1587579
                          Start date and time:2025-01-10 15:06:08 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 8s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:PO-0005082025 pdf.exe
                          Detection:MAL
                          Classification:mal96.troj.evad.winEXE@6/6@0/0
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 94%
                          • Number of executed functions: 36
                          • Number of non-executed functions: 273
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 4.175.87.197
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:07:03API Interceptor4x Sleep call for process: PO-0005082025 pdf.exe modified
                          09:07:04API Interceptor14x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          s-part-0017.t-0009.t-msedge.net1712226379134618467.jsGet hashmaliciousStrela DownloaderBrowse
                          • 13.107.246.45
                          https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://app.planable.io/review/0OPaw36t6M_kGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          PDFONLINE.exeGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          OTTIMAX RFQ BID1122263.xlsxGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          PDFONLINE.exeGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          Quarantined Messages(3).zipGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0005082025 pdf.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\PO-0005082025 pdf.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1172
                          Entropy (8bit):5.357042452875322
                          Encrypted:false
                          SSDEEP:24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
                          MD5:475D428E7231D005EEA5DB556DBED03F
                          SHA1:3D603ED4280E0017D1BEB124D68183F8283B5C22
                          SHA-256:1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
                          SHA-512:7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1jeozcx.kzf.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmhprtko.agn.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovababr3.iyv.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uutrhiv5.dqr.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.755059431351127
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:PO-0005082025 pdf.exe
                          File size:791'552 bytes
                          MD5:4881b4d16acf9ff18d4f3177718d1848
                          SHA1:04b19cbc9904c3971cf9b070db387fa0c5fbd438
                          SHA256:df33cc8034f776a46c83294a6696df8c997165ce84a0a54edcd7df5eaf919d45
                          SHA512:77092a0bcbd2c962474deaf121ef4d9c3667e5a21f7034451f2c502860aa1d2570aaf930c9154646d2711fde7f80c71efd0d9981d879ae673dcc35e6e52c2e16
                          SSDEEP:24576:iVT8S0ck7UmUZtIq5EsnXu3DZoQcmwuT:iV8S0chmUZmqbnaDtlT
                          TLSH:41F402592659EC03D4A6077049E2E3F817245EDEEA01D3039BFEBDFF7C395526818292
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~g..............0......*........... ... ....@.. ....................................`................................

                          File Icon

                          Icon Hash:33362c2d36335470

                          Static PE Info

                          General

                          Entrypoint:0x4c06ee
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x677EF689 [Wed Jan 8 22:04:57 2025 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc069c0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x277c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xbe6f40xbe8005cc38bade3aa1a2deece18132dd0b46fFalse0.9178085527395013data7.759221001325472IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xc20000x277c0x2800e2592dacaf79c9517d2dba9d3ff559e5False0.87900390625data7.595888387892524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xc60000xc0x200f8c022568c28e4708c73c32af1832f66False0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xc20c80x2356PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9427371213796153
                          RT_GROUP_ICON0xc44300x14data1.05
                          RT_VERSION0xc44540x324data0.43283582089552236

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jan 10, 2025 15:07:00.862653971 CET1.1.1.1192.168.2.90xe06fNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                          Jan 10, 2025 15:07:00.862653971 CET1.1.1.1192.168.2.90xe06fNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:07:02
                          Start date:10/01/2025
                          Path:C:\Users\user\Desktop\PO-0005082025 pdf.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                          Imagebase:0x70000
                          File size:791'552 bytes
                          MD5 hash:4881B4D16ACF9FF18D4F3177718D1848
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1386051921.0000000004C70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1378377641.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:09:07:03
                          Start date:10/01/2025
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                          Imagebase:0x440000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:09:07:03
                          Start date:10/01/2025
                          Path:C:\Users\user\Desktop\PO-0005082025 pdf.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                          Imagebase:0x530000
                          File size:791'552 bytes
                          MD5 hash:4881B4D16ACF9FF18D4F3177718D1848
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1902065030.0000000000EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:5
                          Start time:09:07:03
                          Start date:10/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff70f010000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:11.5%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:71
                            Total number of Limit Nodes:2
                            execution_graph 24685 6a906c8 24686 6a90751 CreateProcessA 24685->24686 24688 6a90913 24686->24688 24689 99bdf8 24690 99be3a 24689->24690 24691 99be40 GetModuleHandleW 24689->24691 24690->24691 24692 99be6d 24691->24692 24710 994668 24711 99467a 24710->24711 24712 994686 24711->24712 24714 994779 24711->24714 24715 99479d 24714->24715 24719 994888 24715->24719 24723 994878 24715->24723 24721 9948af 24719->24721 24720 99498c 24720->24720 24721->24720 24727 99448c 24721->24727 24724 9948af 24723->24724 24725 99498c 24724->24725 24726 99448c CreateActCtxA 24724->24726 24726->24725 24728 995918 CreateActCtxA 24727->24728 24730 9959db 24728->24730 24730->24730 24656 69ed00b 24657 69ed01b 24656->24657 24658 69ece00 24657->24658 24662 69ef510 ResumeThread 24657->24662 24663 69ef501 ResumeThread 24657->24663 24659 69ece0f 24658->24659 24664 69ef510 24658->24664 24668 69ef501 24658->24668 24662->24658 24663->24658 24665 69ef543 24664->24665 24666 69ef5b1 24665->24666 24672 69ef8f8 24665->24672 24666->24659 24669 69ef510 24668->24669 24670 69ef5b1 24669->24670 24671 69ef8f8 ResumeThread 24669->24671 24670->24659 24671->24670 24673 69ef8fd 24672->24673 24674 69ef94a ResumeThread 24673->24674 24675 69ef8b2 24673->24675 24676 69ef971 24674->24676 24675->24666 24676->24666 24693 69ed378 24694 69ed307 24693->24694 24696 69ef510 ResumeThread 24694->24696 24697 69ef501 ResumeThread 24694->24697 24695 69ed34a 24696->24695 24697->24695 24731 69efde8 24732 69efe2d Wow64SetThreadContext 24731->24732 24734 69efe75 24732->24734 24698 69ece79 24699 69ece00 24698->24699 24700 69ece0f 24699->24700 24701 69ef510 ResumeThread 24699->24701 24702 69ef501 ResumeThread 24699->24702 24701->24700 24702->24700 24677 6a90130 24678 6a9017b ReadProcessMemory 24677->24678 24680 6a901bf 24678->24680 24703 6a90280 24704 6a92ee8 PostMessageW 24703->24704 24705 6a92f54 24704->24705 24706 6a90040 24707 6a90088 WriteProcessMemory 24706->24707 24709 6a900df 24707->24709 24735 99dea0 24736 99dee6 24735->24736 24739 99e488 24736->24739 24742 99e09c 24739->24742 24743 99e4f0 DuplicateHandle 24742->24743 24744 99dfd3 24743->24744 24681 69efec0 24682 69eff00 VirtualAllocEx 24681->24682 24684 69eff3d 24682->24684

                            Executed Functions

                            Function 069E2D70 Relevance: 2.3, Strings: 1, Instructions: 1029COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 148 69e2d70-69e2d91 149 69e2d98-69e2e84 148->149 150 69e2d93 148->150 152 69e2e8a-69e2fde 149->152 153 69e36b1-69e36d9 149->153 150->149 197 69e367f-69e36ae 152->197 198 69e2fe4-69e303f 152->198 156 69e3dbb-69e3dc4 153->156 157 69e3dca-69e3de1 156->157 158 69e36e7-69e36f0 156->158 160 69e36f7-69e37d0 158->160 161 69e36f2 158->161 319 69e37d6 call 69e4020 160->319 320 69e37d6 call 69e4011 160->320 161->160 178 69e37dc-69e37e9 179 69e37eb-69e37f7 178->179 180 69e3813 178->180 182 69e37f9-69e37ff 179->182 183 69e3801-69e3807 179->183 184 69e3819-69e3838 180->184 185 69e3811 182->185 183->185 188 69e383a-69e3893 184->188 189 69e3898-69e3910 184->189 185->184 202 69e3db8 188->202 208 69e3967-69e39aa 189->208 209 69e3912-69e3965 189->209 197->153 205 69e3044-69e304f 198->205 206 69e3041 198->206 202->156 210 69e3593-69e3599 205->210 206->205 238 69e39b5-69e39bb 208->238 209->238 211 69e359f-69e361c 210->211 212 69e3054-69e3072 210->212 252 69e3669-69e366f 211->252 215 69e30c9-69e30de 212->215 216 69e3074-69e3078 212->216 218 69e30e5-69e30fb 215->218 219 69e30e0 215->219 216->215 221 69e307a-69e3085 216->221 223 69e30fd 218->223 224 69e3102-69e3119 218->224 219->218 225 69e30bb-69e30c1 221->225 223->224 229 69e311b 224->229 230 69e3120-69e3136 224->230 227 69e3087-69e308b 225->227 228 69e30c3-69e30c4 225->228 234 69e308d 227->234 235 69e3091-69e30a9 227->235 232 69e3147-69e31b8 228->232 229->230 236 69e313d-69e3144 230->236 237 69e3138 230->237 239 69e31ce-69e3346 232->239 240 69e31ba 232->240 234->235 242 69e30ab 235->242 243 69e30b0-69e30b8 235->243 236->232 237->236 244 69e3a12-69e3a1e 238->244 253 69e335c-69e3497 239->253 254 69e3348 239->254 240->239 245 69e31bc-69e31c8 240->245 242->243 243->225 246 69e39bd-69e39df 244->246 247 69e3a20-69e3aa7 244->247 245->239 248 69e39e6-69e3a0f 246->248 249 69e39e1 246->249 274 69e3c2c-69e3c35 247->274 248->244 249->248 257 69e361e-69e3666 252->257 258 69e3671-69e3677 252->258 267 69e34fb-69e3510 253->267 268 69e3499-69e349d 253->268 254->253 259 69e334a-69e3356 254->259 257->252 258->197 259->253 270 69e3517-69e3538 267->270 271 69e3512 267->271 268->267 272 69e349f-69e34ae 268->272 276 69e353f-69e355e 270->276 277 69e353a 270->277 271->270 273 69e34ed-69e34f3 272->273 278 69e34f5-69e34f6 273->278 279 69e34b0-69e34b4 273->279 280 69e3aac-69e3ac1 274->280 281 69e3c3b-69e3c96 274->281 282 69e3565-69e3585 276->282 283 69e3560 276->283 277->276 290 69e3590 278->290 284 69e34be-69e34df 279->284 285 69e34b6-69e34ba 279->285 286 69e3aca-69e3c20 280->286 287 69e3ac3 280->287 305 69e3ccd-69e3cf7 281->305 306 69e3c98-69e3ccb 281->306 288 69e358c 282->288 289 69e3587 282->289 283->282 292 69e34e6-69e34ea 284->292 293 69e34e1 284->293 285->284 310 69e3c26 286->310 287->286 294 69e3b9f-69e3bdf 287->294 295 69e3b5a-69e3b9a 287->295 296 69e3b15-69e3b55 287->296 297 69e3ad0-69e3b10 287->297 288->290 289->288 290->210 292->273 293->292 294->310 295->310 296->310 297->310 314 69e3d00-69e3dac 305->314 306->314 310->274 314->202 319->178 320->178
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: \ lw
                            • API String ID: 0-2684086738
                            • Opcode ID: 49691df57032418321302312e0dea6e8f1d1c0bde11a6b26ee06f60a8f96cbee
                            • Instruction ID: d9c1a40beef197ae2cecf745ee8794dab9f97f7121d2e3c7d3bb56538db2f972
                            • Opcode Fuzzy Hash: 49691df57032418321302312e0dea6e8f1d1c0bde11a6b26ee06f60a8f96cbee
                            • Instruction Fuzzy Hash: 70B2CD75E00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB265DB319E81CF40
                            Function 069E5E50 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 391e1c0b851187c864338e81e2253beafb56f68dc54a6f7383ca3c43dd79b3a5
                            • Instruction ID: f2868217070753825eb44ef482eadfcfae4686c91378f45cbcc23052b6e44108
                            • Opcode Fuzzy Hash: 391e1c0b851187c864338e81e2253beafb56f68dc54a6f7383ca3c43dd79b3a5
                            • Instruction Fuzzy Hash: 9F21E6B0D05658DBEB59CFABD94069EBBF6BFC9300F14C16AC418AB255EB3409468F90
                            Function 069E5E60 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00881b5ae18b0ae50ee3bdccc6516a73000039e2c1307927880f6983b8f62c92
                            • Instruction ID: bcbf5198bfaf26f849f7fd18e7f06d9890ae4a5f890367b809e0ddf31189112f
                            • Opcode Fuzzy Hash: 00881b5ae18b0ae50ee3bdccc6516a73000039e2c1307927880f6983b8f62c92
                            • Instruction Fuzzy Hash: 2221A6B1D04658DBEB58CFABC9446AEFBF6BFC8300F14C16AC418A7255EB7419468F50
                            Function 06A906C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 321 6a906c8-6a9075d 323 6a9075f-6a90769 321->323 324 6a90796-6a907b6 321->324 323->324 325 6a9076b-6a9076d 323->325 329 6a907b8-6a907c2 324->329 330 6a907ef-6a9081e 324->330 327 6a9076f-6a90779 325->327 328 6a90790-6a90793 325->328 331 6a9077b 327->331 332 6a9077d-6a9078c 327->332 328->324 329->330 333 6a907c4-6a907c6 329->333 340 6a90820-6a9082a 330->340 341 6a90857-6a90911 CreateProcessA 330->341 331->332 332->332 334 6a9078e 332->334 335 6a907e9-6a907ec 333->335 336 6a907c8-6a907d2 333->336 334->328 335->330 338 6a907d4 336->338 339 6a907d6-6a907e5 336->339 338->339 339->339 342 6a907e7 339->342 340->341 343 6a9082c-6a9082e 340->343 352 6a9091a-6a909a0 341->352 353 6a90913-6a90919 341->353 342->335 344 6a90851-6a90854 343->344 345 6a90830-6a9083a 343->345 344->341 347 6a9083c 345->347 348 6a9083e-6a9084d 345->348 347->348 348->348 349 6a9084f 348->349 349->344 363 6a909b0-6a909b4 352->363 364 6a909a2-6a909a6 352->364 353->352 366 6a909c4-6a909c8 363->366 367 6a909b6-6a909ba 363->367 364->363 365 6a909a8 364->365 365->363 369 6a909d8-6a909dc 366->369 370 6a909ca-6a909ce 366->370 367->366 368 6a909bc 367->368 368->366 372 6a909ee-6a909f5 369->372 373 6a909de-6a909e4 369->373 370->369 371 6a909d0 370->371 371->369 374 6a90a0c 372->374 375 6a909f7-6a90a06 372->375 373->372 375->374
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A908FE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1388729006.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: true
                            • Associated: 00000000.00000002.1388178339.0000000006A00000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6a00000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 2c33c4c98a32f2b522883b4e842e2abd0deac4aa3e9dc48df14c8377f1468057
                            • Instruction ID: 93e360d69b296a7fa3b3ef32a8b119ae60207350ae2f87bb98dcc7e6e1817274
                            • Opcode Fuzzy Hash: 2c33c4c98a32f2b522883b4e842e2abd0deac4aa3e9dc48df14c8377f1468057
                            • Instruction Fuzzy Hash: 54915871D007198FEF64DF69C8417EEBBF2BB48350F1485A9E808A7280DB749985CFA1
                            Function 0099590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 377 99590d-995913 378 99591c-9959d9 CreateActCtxA 377->378 380 9959db-9959e1 378->380 381 9959e2-995a3c 378->381 380->381 388 995a4b-995a4f 381->388 389 995a3e-995a41 381->389 390 995a51-995a5d 388->390 391 995a60 388->391 389->388 390->391 393 995a61 391->393 393->393
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 009959C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1374323401.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_990000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 5a4701fec546966d0939646c90d91246e8d836252b627b43a44f9209880a0b1d
                            • Instruction ID: 868593554f077e49f3be42506d43e20b2a034be63784e729430e04a2deadca0d
                            • Opcode Fuzzy Hash: 5a4701fec546966d0939646c90d91246e8d836252b627b43a44f9209880a0b1d
                            • Instruction Fuzzy Hash: 7841D0B1C01B19CBEF25CFA9C8847CEBBB5BF89304F20856AD408AB251DB756946CF54
                            Function 0099448C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 394 99448c-9959d9 CreateActCtxA 397 9959db-9959e1 394->397 398 9959e2-995a3c 394->398 397->398 405 995a4b-995a4f 398->405 406 995a3e-995a41 398->406 407 995a51-995a5d 405->407 408 995a60 405->408 406->405 407->408 410 995a61 408->410 410->410
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 009959C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1374323401.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_990000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 098e6b7fda4f3f71c309d59ea5bea0f500ca97ebd1fc6aabecc2b9f5ba90fb72
                            • Instruction ID: d3075a59a9b7158f57d718f89308f95ee12c599020d1c768a8f69d53e9103f23
                            • Opcode Fuzzy Hash: 098e6b7fda4f3f71c309d59ea5bea0f500ca97ebd1fc6aabecc2b9f5ba90fb72
                            • Instruction Fuzzy Hash: D041CF70C01B1DCBEB25CFA9C884B8EBBF5BF89704F20856AD408AB251DB756945CF94
                            Function 069EFD92 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 411 69efd92-69efd93 412 69efddd-69efe33 411->412 413 69efd95-69efdb6 411->413 417 69efe35-69efe41 412->417 418 69efe43-69efe46 412->418 413->412 417->418 419 69efe4d-69efe73 Wow64SetThreadContext 418->419 420 69efe7c-69efeac 419->420 421 69efe75-69efe7b 419->421 421->420
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069EFE66
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 216d6638d66ee7a9abd64e2faafb50a06a4f8097392b8ebdeb14b035a3e5bffc
                            • Instruction ID: 75ed6f6a93f4108b9b603f5af4009c4992c1ff26e2f22802fdd2206bbfd234ba
                            • Opcode Fuzzy Hash: 216d6638d66ee7a9abd64e2faafb50a06a4f8097392b8ebdeb14b035a3e5bffc
                            • Instruction Fuzzy Hash: 6231CD71C043498FDB11CFA9C8447AEBBF4AF09224F14846EC459A7282C7389941CFA1
                            Function 06A90040 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 425 6a90040-6a9008e 427 6a9009e-6a900dd WriteProcessMemory 425->427 428 6a90090-6a9009c 425->428 430 6a900df-6a900e5 427->430 431 6a900e6-6a90116 427->431 428->427 430->431
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A900D0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1388729006.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: true
                            • Associated: 00000000.00000002.1388178339.0000000006A00000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6a00000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 1eb093f1da6b5180f4576571a8fc43e9e438cfc09eeb87fa3e14dc6b4a0f0b7e
                            • Instruction ID: 442a4a294a8d33773f4bd12e16a460245b0a934169480a166fe04feb45144a4f
                            • Opcode Fuzzy Hash: 1eb093f1da6b5180f4576571a8fc43e9e438cfc09eeb87fa3e14dc6b4a0f0b7e
                            • Instruction Fuzzy Hash: 3A2124729003499FDF10DFAAC885BEEBBF5FF48310F14842AE958A7240D7799954CBA0
                            Function 069EF8F8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 435 69ef8f8-69ef8fd 437 69ef8ff-69ef96f ResumeThread 435->437 438 69ef8b2-69ef8cf 435->438 445 69ef978-69ef99d 437->445 446 69ef971-69ef977 437->446 440 69ef8d6-69ef8d9 438->440 441 69ef8d1 438->441 444 69ef8e1-69ef8ea 440->444 441->440 446->445
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 28addd95ebca953b1fa386d62fa6cf9ac1e820f75c8ddb8a55023cd8afdc9297
                            • Instruction ID: 2ba74a7bfaf2de5172cc88de811472d76fc4c23160dabcd081d29fdc00649207
                            • Opcode Fuzzy Hash: 28addd95ebca953b1fa386d62fa6cf9ac1e820f75c8ddb8a55023cd8afdc9297
                            • Instruction Fuzzy Hash: 6A215571D00348DBDB14DFAAC4447EEBBF4EF89320F20846AD429A7780DB799A40CB90
                            Function 069EFDE1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 456 69efde1-69efe33 459 69efe35-69efe41 456->459 460 69efe43-69efe46 456->460 459->460 461 69efe4d-69efe73 Wow64SetThreadContext 460->461 462 69efe7c-69efeac 461->462 463 69efe75-69efe7b 461->463 463->462
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069EFE66
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 2c9c2969e2217c93169b9ff89675ec16be2ae09285e5f66209453a5afd9eeeea
                            • Instruction ID: 69dc4d0a049f8aa5466fbe8bed0c2c1a5e451fcace7cc977e5aef90def38c0d3
                            • Opcode Fuzzy Hash: 2c9c2969e2217c93169b9ff89675ec16be2ae09285e5f66209453a5afd9eeeea
                            • Instruction Fuzzy Hash: AF215772D003098FDB10CFAAC4857EEBBF4AF48324F14842ED519A7241C778AA44CBA0
                            Function 0099E09C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 450 99e09c-99e584 DuplicateHandle 452 99e58d-99e5aa 450->452 453 99e586-99e58c 450->453 453->452
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0099E4B6,?,?,?,?,?), ref: 0099E577
                            Memory Dump Source
                            • Source File: 00000000.00000002.1374323401.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_990000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 981eb0607d171ecee4ebdce06945726db438ade4019684793b7bb88b19a9f0aa
                            • Instruction ID: 9edb4a875c7b983e52f8a253826e190401930adf0dbae44af1a159a38a0083a9
                            • Opcode Fuzzy Hash: 981eb0607d171ecee4ebdce06945726db438ade4019684793b7bb88b19a9f0aa
                            • Instruction Fuzzy Hash: B121E5B5900349DFDF10CF9AD484ADEBBF8EB48314F14842AE914A3350D374A950CFA5
                            Function 069EFDE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 467 69efde8-69efe33 469 69efe35-69efe41 467->469 470 69efe43-69efe73 Wow64SetThreadContext 467->470 469->470 472 69efe7c-69efeac 470->472 473 69efe75-69efe7b 470->473 473->472
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069EFE66
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 0d36f64d85076633b1ee8a82f2ad983d253b4d37f6a70ea6f9625e649890f6ef
                            • Instruction ID: 97cfba2c267d90a98606788cc868c62b17b0efd88a05d23db0dfbf4b79de29df
                            • Opcode Fuzzy Hash: 0d36f64d85076633b1ee8a82f2ad983d253b4d37f6a70ea6f9625e649890f6ef
                            • Instruction Fuzzy Hash: 1C213472D003098FDB10DFAAC4857EEBBF4AF48310F14842ED559A7241D778AA44CBA1
                            Function 06A90130 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 477 6a90130-6a901bd ReadProcessMemory 480 6a901bf-6a901c5 477->480 481 6a901c6-6a901f6 477->481 480->481
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A901B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1388729006.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: true
                            • Associated: 00000000.00000002.1388178339.0000000006A00000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6a00000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 855b4438effbdbc9a2f3e29037380b64204bfed0869bc93086f53b67f04d12fc
                            • Instruction ID: 4e98bbb4fd4afa28c47639fa5b74e6ff103b65dbf13053fb0500148faa7cfca0
                            • Opcode Fuzzy Hash: 855b4438effbdbc9a2f3e29037380b64204bfed0869bc93086f53b67f04d12fc
                            • Instruction Fuzzy Hash: 552114B2C003499FDB10DFAAC880BEEBBF5FF48310F14842AE558A7240D7799944CBA1
                            Function 069EFEB9 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069EFF2E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 83ed424339e67db1ae04a826b28434e3533e38f32ea1c9f9b0540fc3cf9bdead
                            • Instruction ID: 93ea5e6611f23c297406abb593cf9e80eb5bc1b74f8a1f95cfad90fa781864b5
                            • Opcode Fuzzy Hash: 83ed424339e67db1ae04a826b28434e3533e38f32ea1c9f9b0540fc3cf9bdead
                            • Instruction Fuzzy Hash: 5E1159728003499FDF10CFAAC844BDFBBF5EF49314F14842AE515A7250C7799540CBA0
                            Function 069EFEC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069EFF2E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 91c74bea02d2b7cd85457577dce9702cbf75d73065ec2ed2fc73b65f936ff0be
                            • Instruction ID: 78c0dceff8a9363aa96c704b8626c7cacf907b6b8c0cc9a5a6503d4671651f4a
                            • Opcode Fuzzy Hash: 91c74bea02d2b7cd85457577dce9702cbf75d73065ec2ed2fc73b65f936ff0be
                            • Instruction Fuzzy Hash: C21137728003499FDF11DFAAC844BDEBBF5EF49314F14882AE519A7250C7799544CFA1
                            Function 069EFDB9 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069EFE66
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 3db586b0d32a620bf119cc4437f8e8ec99eb53f144040ddbe76820e96e416ce6
                            • Instruction ID: 2f17f408684420874e30fa15918e15aa8c43c5af3e59658a6f53ca30034bcb50
                            • Opcode Fuzzy Hash: 3db586b0d32a620bf119cc4437f8e8ec99eb53f144040ddbe76820e96e416ce6
                            • Instruction Fuzzy Hash: 76118232E0070A8FDB00CF99D8453EEBBF5EF88324F14806AD558AB642C779A945CB61
                            Function 069EF900 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 6d2a0719134bdde340512a3729c4bbbc4ad95c77e454c1a7c15ba69cacdebab6
                            • Instruction ID: 71dc813d950ccae1f05f7064c0cebd5df02bed6f6cedcf6c463f408049103b24
                            • Opcode Fuzzy Hash: 6d2a0719134bdde340512a3729c4bbbc4ad95c77e454c1a7c15ba69cacdebab6
                            • Instruction Fuzzy Hash: F91136B1D003498FDB10DFAAC8457EEFBF4EF88320F24842AD559A7640C779A944CBA5
                            Function 06A90280 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A92F45
                            Memory Dump Source
                            • Source File: 00000000.00000002.1388729006.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: true
                            • Associated: 00000000.00000002.1388178339.0000000006A00000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6a00000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: c51c8af54e54f884ab15cf0ae9c9d3ae4263c801ce744fbbec6953851140ef1f
                            • Instruction ID: 5a2962e8f0c0ae2da8c6fb3fedf40910d3585e32669bba1cd841dd3f1358ef19
                            • Opcode Fuzzy Hash: c51c8af54e54f884ab15cf0ae9c9d3ae4263c801ce744fbbec6953851140ef1f
                            • Instruction Fuzzy Hash: C21106B5800349DFDB10DF9AC884BDEBBF8EB48314F20845AE518A7250D375A944CFA5
                            Function 0099BDF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0099BE5E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1374323401.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_990000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: dbc992e57826501773469c1f0f21a910c1d1dd6b79db16068ff7ba8fe7f3ee3e
                            • Instruction ID: a9b19ddce900f19f09d541ec3f91ee38f81d3b031f5a4d1a41164e2ff1ea91b0
                            • Opcode Fuzzy Hash: dbc992e57826501773469c1f0f21a910c1d1dd6b79db16068ff7ba8fe7f3ee3e
                            • Instruction Fuzzy Hash: 0F110FB6C002498FDB10CF9AD544BDEFBF9AB88310F10842AD518A7210D379A945CFA1
                            Function 006ED4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372721497.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6ed000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 79efabc888774d01983cad3821806682dc3679cdf7db2d9b79104ed63a975614
                            • Instruction ID: 71b6df970bbee36bd1b04158b63e5ba42120a6141bd0a7b6acc6d8c89a781f93
                            • Opcode Fuzzy Hash: 79efabc888774d01983cad3821806682dc3679cdf7db2d9b79104ed63a975614
                            • Instruction Fuzzy Hash: 36212572500380DFDB05DF10D9C0B6ABF66FB98318F24C569E8090B296C336D856CBA2
                            Function 006ED3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372721497.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6ed000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2587df2a8cb83da343938c66760aaab327389c749c84a9ff010fbd714a2bb078
                            • Instruction ID: f01a0b5e18f5acd35cd3cd47d488c2d151e3f950b8053f7fba268db928b0f616
                            • Opcode Fuzzy Hash: 2587df2a8cb83da343938c66760aaab327389c749c84a9ff010fbd714a2bb078
                            • Instruction Fuzzy Hash: 98213A71500384DFDB05DF10D9C0B5ABBA6FBA4314F24C169E8094B396C336E856CBA2
                            Function 006FD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372863893.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6fd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1eac14226eeeb3cff2e95ae4ac3dcf581d99134f6700939ea35fb040befdb4d0
                            • Instruction ID: 12ed20f3c7f83650a09e5358debc1b62d8e52b899bfb742e9ceea8f4b0c79cf0
                            • Opcode Fuzzy Hash: 1eac14226eeeb3cff2e95ae4ac3dcf581d99134f6700939ea35fb040befdb4d0
                            • Instruction Fuzzy Hash: 1421F271604348DFDB14DF10D9C0B26BB67FB84314F24C569EA0A4B386CB36E847CA62
                            Function 006FD1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372863893.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6fd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6343ee3b0187b639950c38532a78a82de7b0c0375bbb0b9fc0602ecd79370eeb
                            • Instruction ID: 96f1b2a1a86ed13d979e74da180d34464fab7a96cefee39420f6516a06430b3d
                            • Opcode Fuzzy Hash: 6343ee3b0187b639950c38532a78a82de7b0c0375bbb0b9fc0602ecd79370eeb
                            • Instruction Fuzzy Hash: 9421F271504348EFDB05DF10D9C0B26BBA7FB84314F24C5ADEA094B396C736E946CAA1
                            Function 006FD006 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372863893.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6fd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c3a35b2ed4272acd69c60662cee786d7bb072af91d097245e2ac452483c34a13
                            • Instruction ID: 07b6f88381cbf64c92112a1c9e91d5bf56ae045c93ff14d3cf44c50da358185a
                            • Opcode Fuzzy Hash: c3a35b2ed4272acd69c60662cee786d7bb072af91d097245e2ac452483c34a13
                            • Instruction Fuzzy Hash: 85218E755093848FCB02CF20D990755BF72EB46314F28C5EAD9498B6A7C33A980ACB62
                            Function 006ED4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372721497.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6ed000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: 3de5be4f7ed61743e7c8fa3bfa8a00ac62c796f12916ead6222886f72437ef08
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: 3011B176504380DFCB15CF10D9C4B56BF72FB94318F24C6AAD8490B656C336D856CBA1
                            Function 006ED3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372721497.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6ed000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: a8033cf50f630c61700506f32e894547d4e61fe0a2c114b3ab78a0738da0a194
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: E111AF76504280DFCB15CF10D5C4B56BFB2FBA4324F24C6A9D8090B696C33AE856CBA1
                            Function 006FD1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1372863893.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6fd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction ID: db446fb67d41a46a095b912221875bc28d1ca686f31ba1ca74b9da45e758b5e8
                            • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction Fuzzy Hash: 8011BE75504244DFCB01CF10C5C0B65BB62FB84314F24C6AADA494B796C33AE84ACB91

                            Non-executed Functions

                            Function 069EF0D8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 986a8619cc8fd946a2b2aa36811147a271d552a392652e9c1a85b1e0f65c6081
                            • Instruction ID: a8c4fb20b392482f86247179e58a6fdcd58f97afa37cee9ca898520388b8ab66
                            • Opcode Fuzzy Hash: 986a8619cc8fd946a2b2aa36811147a271d552a392652e9c1a85b1e0f65c6081
                            • Instruction Fuzzy Hash: B0E1D474E002598FDB14DFA9C580AAEFBF2BF89305F24816AD414AB356D731AD41CFA1
                            Function 069EDE38 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f38105e20b44cc0abf85f3e41513ec8e9a808e7cacbe92e019c3a8f7b42e18aa
                            • Instruction ID: 562b9ec7b90c37033de7e3fe57f642c595a7694981908680b7c197bb7a9616f2
                            • Opcode Fuzzy Hash: f38105e20b44cc0abf85f3e41513ec8e9a808e7cacbe92e019c3a8f7b42e18aa
                            • Instruction Fuzzy Hash: 16E1F574E002198FDB14DFA9C580AAEFBF2BF89305F248569D414AB359D734AD46CFA0
                            Function 069E2D61 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4e2ebc7f71668aa85e86a688cc45de6d329ded3c8323dedcce8f500c655e190
                            • Instruction ID: 78f67f365667295c26b7bfd2327a3c6ff6a2ffe01dc7a21f5a655ac7ba700c3a
                            • Opcode Fuzzy Hash: e4e2ebc7f71668aa85e86a688cc45de6d329ded3c8323dedcce8f500c655e190
                            • Instruction Fuzzy Hash: 91C16175E01618CFDB58DF6AC944ADDBBF2AF88301F14C1AAD809AB364DB345A85CF50
                            Function 069E52A8 Relevance: .2, Instructions: 188COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3e70263b4c6c00f2c8fc0a9344024bddbc402f64e9539691d612869a189501f
                            • Instruction ID: 86c6c26df8deea70421f74b7e44a53895ee6cc95f83fa0417bedf3a72eec0d86
                            • Opcode Fuzzy Hash: b3e70263b4c6c00f2c8fc0a9344024bddbc402f64e9539691d612869a189501f
                            • Instruction Fuzzy Hash: 72614570D09208CFEB55CFA9C440AEEBBB6FF89304F21A42AD419B7651D7755942CF80
                            Function 069E2A78 Relevance: .2, Instructions: 168COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 99bb432e656f0ac59e516be71c60e4395b00e8a47fef70622304e4f3dceb10e2
                            • Instruction ID: 6817824494f63b381f8a0e059a9d2e2f4abf1ccc775acac2b2ec2591f03314ab
                            • Opcode Fuzzy Hash: 99bb432e656f0ac59e516be71c60e4395b00e8a47fef70622304e4f3dceb10e2
                            • Instruction Fuzzy Hash: 3B61EAB1901249CFE748EF7BE85069EBBF3FB88300F14C52AD415AB259EB786905CB51
                            Function 069E2A88 Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66a806074f3f789f79bb475075184a71eebede3a6ff6ea90b4115ba0e6e92573
                            • Instruction ID: c406637e3b129881af1ce21134fa308facf22e135b569d8e6c55df318a1ab2d6
                            • Opcode Fuzzy Hash: 66a806074f3f789f79bb475075184a71eebede3a6ff6ea90b4115ba0e6e92573
                            • Instruction Fuzzy Hash: EE61EBB0A01249CFE748EF6BE85069E7BF3FBC8200F14C52AD414AB259EB786905CB50
                            Function 069EF0C8 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1387907115.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_69e0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7c5c75b7cb3dc50b4dde3a610d5ef4573de7c33deb04f3b91ee81b31994fa94
                            • Instruction ID: dababf5ce91d554b8a2ef0bf2a88b0173ff42cae7f03e3d9580444adfe7d098e
                            • Opcode Fuzzy Hash: e7c5c75b7cb3dc50b4dde3a610d5ef4573de7c33deb04f3b91ee81b31994fa94
                            • Instruction Fuzzy Hash: E551F874E042198FDB15CFA9C5806AEFBF2BF89304F2481AAD418AB355D7359D42CFA1

                            Execution Graph

                            Execution Coverage:0.8%
                            Dynamic/Decrypted Code Coverage:5.9%
                            Signature Coverage:9.8%
                            Total number of Nodes:102
                            Total number of Limit Nodes:8
                            execution_graph 95649 4253a3 95653 4253bc 95649->95653 95650 425404 95657 42ed53 95650->95657 95653->95650 95654 425444 95653->95654 95656 425449 95653->95656 95655 42ed53 RtlFreeHeap 95654->95655 95655->95656 95660 42d023 95657->95660 95659 425414 95661 42d040 95660->95661 95662 42d051 RtlFreeHeap 95661->95662 95662->95659 95663 42ff23 95664 42fe93 95663->95664 95665 42fef0 95664->95665 95669 42ee33 95664->95669 95667 42fecd 95668 42ed53 RtlFreeHeap 95667->95668 95668->95665 95672 42cfd3 95669->95672 95671 42ee4e 95671->95667 95673 42cfed 95672->95673 95674 42cffe RtlAllocateHeap 95673->95674 95674->95671 95741 42c2d3 95742 42c2ed 95741->95742 95745 fc2df0 LdrInitializeThunk 95742->95745 95743 42c315 95745->95743 95746 42fdf3 95747 42fe03 95746->95747 95748 42fe09 95746->95748 95749 42ee33 RtlAllocateHeap 95748->95749 95750 42fe2f 95749->95750 95751 425013 95752 42502f 95751->95752 95753 425057 95752->95753 95754 42506b 95752->95754 95755 42ccc3 NtClose 95753->95755 95756 42ccc3 NtClose 95754->95756 95757 425060 95755->95757 95758 425074 95756->95758 95761 42ee73 RtlAllocateHeap 95758->95761 95760 42507f 95761->95760 95762 414373 95763 414393 95762->95763 95765 4143fc 95763->95765 95767 41bad3 RtlFreeHeap LdrInitializeThunk 95763->95767 95766 4143f2 95767->95766 95768 414193 95771 42cf33 95768->95771 95772 42cf4d 95771->95772 95775 fc2c70 LdrInitializeThunk 95772->95775 95773 4141b5 95775->95773 95776 417eb3 95777 417ed7 95776->95777 95778 417f13 LdrLoadDll 95777->95778 95779 417ede 95777->95779 95778->95779 95675 401d0d 95676 401d17 95675->95676 95679 4302c3 95676->95679 95682 42e903 95679->95682 95683 42e929 95682->95683 95692 407703 95683->95692 95685 42e93f 95691 401e16 95685->95691 95695 41b7c3 95685->95695 95687 42e95e 95688 42d073 ExitProcess 95687->95688 95689 42e973 95687->95689 95688->95689 95706 42d073 95689->95706 95709 416b73 95692->95709 95694 407710 95694->95685 95696 41b7ef 95695->95696 95727 41b6b3 95696->95727 95699 41b834 95701 41b850 95699->95701 95704 42ccc3 NtClose 95699->95704 95700 41b81c 95703 41b827 95700->95703 95733 42ccc3 95700->95733 95701->95687 95703->95687 95705 41b846 95704->95705 95705->95687 95707 42d090 95706->95707 95708 42d0a1 ExitProcess 95707->95708 95708->95691 95710 416b8d 95709->95710 95712 416ba6 95710->95712 95713 42d6f3 95710->95713 95712->95694 95715 42d70d 95713->95715 95714 42d73c 95714->95712 95715->95714 95720 42c323 95715->95720 95718 42ed53 RtlFreeHeap 95719 42d7b5 95718->95719 95719->95712 95721 42c340 95720->95721 95724 fc2c0a 95721->95724 95722 42c36c 95722->95718 95725 fc2c1f LdrInitializeThunk 95724->95725 95726 fc2c11 95724->95726 95725->95722 95726->95722 95728 41b7a9 95727->95728 95729 41b6cd 95727->95729 95728->95699 95728->95700 95736 42c3c3 95729->95736 95732 42ccc3 NtClose 95732->95728 95734 42ccdd 95733->95734 95735 42ccee NtClose 95734->95735 95735->95703 95737 42c3dd 95736->95737 95740 fc35c0 LdrInitializeThunk 95737->95740 95738 41b79d 95738->95732 95740->95738

                            Executed Functions

                            Function 00417EB3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 96 417eb3-417ecf 97 417ed7-417edc 96->97 98 417ed2 call 42f933 96->98 99 417ee2-417ef0 call 42ff33 97->99 100 417ede-417ee1 97->100 98->97 103 417f00-417f11 call 42e3d3 99->103 104 417ef2-417efd call 4301d3 99->104 109 417f13-417f27 LdrLoadDll 103->109 110 417f2a-417f2d 103->110 104->103 109->110
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417F25
                            Memory Dump Source
                            • Source File: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
                            • Instruction ID: 74b1a67ad7a1e6c5496c2b823323dd79b328b320fcbdb6ab911308b9a49c7e9b
                            • Opcode Fuzzy Hash: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
                            • Instruction Fuzzy Hash: 65011EB5E4020DABDF10DAA5DC42FDEB3B8AB54308F0041AAED0897241F675EB598B95
                            Function 0042CCC3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 121 42ccc3-42ccfc call 404b43 call 42ded3 NtClose
                            APIs
                            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CCF7
                            Memory Dump Source
                            • Source File: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
                            • Instruction ID: 7dd1565d8f3dbc3bc04d904a055674cb4cb7d7fe92152ebc39fafefd714ea547
                            • Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
                            • Instruction Fuzzy Hash: A8E04F316006147BE610AA6ADC41FD7776CDFC5714F408419FA08A7181C670B91187F4
                            Function 00FC2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 135 fc2c70-fc2c7c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ef7e42b6a46f5379e4e85d1abe4de7a27fc18f426c37321e356142ebdb227757
                            • Instruction ID: 95426218983a0de8357c45d6b0d16c7c1c6e6d3978c40881e405d08218a4901c
                            • Opcode Fuzzy Hash: ef7e42b6a46f5379e4e85d1abe4de7a27fc18f426c37321e356142ebdb227757
                            • Instruction Fuzzy Hash: 8890023520149812D2107158C40474E001687D0341F5DC423A4424668E8A9989927121
                            Function 00FC2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 136 fc2df0-fc2dfc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: b919c1a64f67162531feb4f093a44ae6f36d5e507563a483f6af62b18b40c1b6
                            • Instruction ID: 2959e3cc8f2bf0787db7e1704b2aee03464d78814cfc7b8e45948676f2d2ed46
                            • Opcode Fuzzy Hash: b919c1a64f67162531feb4f093a44ae6f36d5e507563a483f6af62b18b40c1b6
                            • Instruction Fuzzy Hash: 8E90023520141423D2117158850470B001A87D0381F99C423A0424568E9A5A8A53B121
                            Function 00FC35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 137 fc35c0-fc35cc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 7115e25b4bcf42ccb048b9b5fd5987dd5d14117dd6236f21a73bf003d06dfdf3
                            • Instruction ID: b25afad3a6c0e877af5ef1a1c5d7d5bc4179cb93d9055051b7fbcb1d37c6940d
                            • Opcode Fuzzy Hash: 7115e25b4bcf42ccb048b9b5fd5987dd5d14117dd6236f21a73bf003d06dfdf3
                            • Instruction Fuzzy Hash: 3790023560551412D2007158851470A101687D0341F69C423A0424578E8B998A5275A2
                            Function 0042D023 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 116 42d023-42d067 call 404b43 call 42ded3 RtlFreeHeap
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4E8B0446,00000007,00000000,00000004,00000000,00417735,000000F4), ref: 0042D062
                            Memory Dump Source
                            • Source File: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
                            • Instruction ID: b1f67ff1680508f6b48a13b8e8d45400879f8c202f5ac700e6df5a6440d7a715
                            • Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
                            • Instruction Fuzzy Hash: B9E06D72604204BBD610EE59EC41F9B77ACDFC5714F004419FA08AB242D770B91086B8
                            Function 0042CFD3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 111 42cfd3-42d014 call 404b43 call 42ded3 RtlAllocateHeap
                            APIs
                            • RtlAllocateHeap.NTDLL(?,0041EC5B,?,?,00000000,?,0041EC5B,?,?,?), ref: 0042D00F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
                            • Instruction ID: 7b03c5464cd71f7b56b57a232ca469f330cc0886600393034a38dfef118b4b2f
                            • Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
                            • Instruction Fuzzy Hash: 9AE09AB6700208BBD610EE59EC41F9B77ACEFC9710F004419FE09AB242D670B9108BB8
                            Function 0042D073 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 126 42d073-42d0af call 404b43 call 42ded3 ExitProcess
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1901449270.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
                            • Instruction ID: 46dd625dd64cb4bfb7d8af5c768814de95ff13fe0ff90786c18fe221300a3b06
                            • Opcode Fuzzy Hash: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
                            • Instruction Fuzzy Hash: 07E04F322002147BD510AA5ADC41FDBB7ACDBC5710F014419FA08A7182DAB0BA0187E4
                            Function 00FC2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 131 fc2c0a-fc2c0f 132 fc2c1f-fc2c26 LdrInitializeThunk 131->132 133 fc2c11-fc2c18 131->133
                            APIs
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 958f8d593507492158f5b5d33dfb6ecd212d47c7953d78dbffd6ae40332e2eb4
                            • Instruction ID: dc63b5c727b5e34f658d53b19421ac543efb9d59baa997e568f839c79ca45ffb
                            • Opcode Fuzzy Hash: 958f8d593507492158f5b5d33dfb6ecd212d47c7953d78dbffd6ae40332e2eb4
                            • Instruction Fuzzy Hash: D4B04C719015D595DA51E7608609B1A7911A790751F19C066D2020651A47288591F175

                            Non-executed Functions

                            Function 01002349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2160512332
                            • Opcode ID: 112e872eb16cf9e0fcf79945d565de32ef6d6ce2a9b6c9b280c75d919955438e
                            • Instruction ID: 369be5cb49e7c2859e67c89ac2d129d9c3707db3df777e1abb3fea2ae1ee3abc
                            • Opcode Fuzzy Hash: 112e872eb16cf9e0fcf79945d565de32ef6d6ce2a9b6c9b280c75d919955438e
                            • Instruction Fuzzy Hash: D5929C71604741AFF762DE28C885B6BB7E8BB88750F04482DFAC4D7291D774E844CB92
                            Function 00FB8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FF540A, 00FF5496, 00FF5519
                            • 8, xrefs: 00FF52E3
                            • undeleted critical section in freed memory, xrefs: 00FF542B
                            • Critical section address, xrefs: 00FF5425, 00FF54BC, 00FF5534
                            • corrupted critical section, xrefs: 00FF54C2
                            • Thread is in a state in which it cannot own a critical section, xrefs: 00FF5543
                            • Critical section address., xrefs: 00FF5502
                            • Invalid debug info address of this critical section, xrefs: 00FF54B6
                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FF54CE
                            • Address of the debug info found in the active list., xrefs: 00FF54AE, 00FF54FA
                            • Critical section debug info address, xrefs: 00FF541F, 00FF552E
                            • Thread identifier, xrefs: 00FF553A
                            • double initialized or corrupted critical section, xrefs: 00FF5508
                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FF54E2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                            • API String ID: 0-2368682639
                            • Opcode ID: 8dab0d17447a3cfeb54532860d17e6bd59744ec486392a9d04a227706a0881ba
                            • Instruction ID: f5e8897e566d277529d64ff338b896593583be1eed989def5c28cf8e2acc8812
                            • Opcode Fuzzy Hash: 8dab0d17447a3cfeb54532860d17e6bd59744ec486392a9d04a227706a0881ba
                            • Instruction Fuzzy Hash: 2C819EB1E00748EFDB20CF95C841BAEBBB9BF48B54F144119F604B7290D775A941EB51
                            Function 00FB29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                            Download Yara Rule
                            Strings
                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 00FF25EB
                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 00FF2409
                            • @, xrefs: 00FF259B
                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 00FF2498
                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 00FF22E4
                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00FF2506
                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 00FF2412
                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00FF24C0
                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 00FF2624
                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 00FF2602
                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 00FF261F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                            • API String ID: 0-4009184096
                            • Opcode ID: c9c9213500e358bf680d9655aaf3d42efec713ae86b90e39e6c3993bd37ef2b6
                            • Instruction ID: d70137af69bdc2166413adb1fbb39d3a0352026e12f0db66d0932f6a4af8a000
                            • Opcode Fuzzy Hash: c9c9213500e358bf680d9655aaf3d42efec713ae86b90e39e6c3993bd37ef2b6
                            • Instruction Fuzzy Hash: 59027EF2D042299BDB71DB14CC81BEEB7B8AF44714F0041DAA609A7251EB709F84EF59
                            Function 01028B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                            • API String ID: 0-2515994595
                            • Opcode ID: 4813bab8459d31bc32a14134114a0148aa092fc89cca04adfec6204cb53f2202
                            • Instruction ID: 6373236397890163936d9f207723d89d30cd5db3153076b7125a0b95b5985235
                            • Opcode Fuzzy Hash: 4813bab8459d31bc32a14134114a0148aa092fc89cca04adfec6204cb53f2202
                            • Instruction Fuzzy Hash: CA51F2755083259BC325EF189849BABBBECFF84340F24891EFA98C3241E770D508DB92
                            Function 01030274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                            • API String ID: 0-1700792311
                            • Opcode ID: b1facc61e1d1961c5193c5f425ff47d1175e810ae15b6633f66c5cbb3271dc2c
                            • Instruction ID: 4d189e92302f778b4274ffe76489b03aee90ba14e69b868509b3c3bc93ee35b6
                            • Opcode Fuzzy Hash: b1facc61e1d1961c5193c5f425ff47d1175e810ae15b6633f66c5cbb3271dc2c
                            • Instruction Fuzzy Hash: D7D1E231901645DFDB62DF68C841AAEBBF9FF8A700F08C09AF5899B256C739D940DB11
                            Function 010089B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                            Download Yara Rule
                            Strings
                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01008A3D
                            • VerifierFlags, xrefs: 01008C50
                            • VerifierDlls, xrefs: 01008CBD
                            • HandleTraces, xrefs: 01008C8F
                            • VerifierDebug, xrefs: 01008CA5
                            • AVRF: -*- final list of providers -*- , xrefs: 01008B8F
                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01008A67
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                            • API String ID: 0-3223716464
                            • Opcode ID: 27391508b11807c73aed339773dca289e009481fec7c85f983b10174ae0e7c89
                            • Instruction ID: df866ec5cb8d3cf2d92c8e3e9bbec8b0cb03a66fcd62d8a2103d6b259b816a76
                            • Opcode Fuzzy Hash: 27391508b11807c73aed339773dca289e009481fec7c85f983b10174ae0e7c89
                            • Instruction Fuzzy Hash: 7A912171E00705ABF723EF288C81B9A77E4BB45714F05855AFAC56B2C2C735AC01CB96
                            Function 00F8EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                            • API String ID: 0-1109411897
                            • Opcode ID: 62dc64212e824132018a2be9fa8e80eca28601f18ea2f257972533a07703028d
                            • Instruction ID: 5a02b944c3ef7228d68a9c55e04dbc890cbd1ccfc1b4cbc08093ea29633d4126
                            • Opcode Fuzzy Hash: 62dc64212e824132018a2be9fa8e80eca28601f18ea2f257972533a07703028d
                            • Instruction Fuzzy Hash: 79A25A71E0566A8FDB64DF15CC887E9B7B1AF45310F2442EAD80DA7290DB34AE85EF00
                            Function 00FB63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-792281065
                            • Opcode ID: 7f60fd8f55fa49a00d96f11fa339931ca0cc651d7c9b93491c496396a84f153a
                            • Instruction ID: aa3301a49087b1151f6b2aed0604aded3736b008a84abf61439420e65d520ad8
                            • Opcode Fuzzy Hash: 7f60fd8f55fa49a00d96f11fa339931ca0cc651d7c9b93491c496396a84f153a
                            • Instruction Fuzzy Hash: 35910071E00A19DBEB35DB14DC45BFA77A0BF40B24F140128EA41BB291DBADA841FB91
                            Function 00F7645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                            Download Yara Rule
                            Strings
                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00FD9A2A
                            • LdrpInitShimEngine, xrefs: 00FD99F4, 00FD9A07, 00FD9A30
                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00FD99ED
                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 00FD9A01
                            • minkernel\ntdll\ldrinit.c, xrefs: 00FD9A11, 00FD9A3A
                            • apphelp.dll, xrefs: 00F76496
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-204845295
                            • Opcode ID: 0414f119f5922ed2021a9f4477f00c324f1059ae9db2ec897ebfe7338b6cda8e
                            • Instruction ID: 3a27753727ef7f15ab838d8deefbc6ce0da706370a43cd10b065ab5ffbd05bf5
                            • Opcode Fuzzy Hash: 0414f119f5922ed2021a9f4477f00c324f1059ae9db2ec897ebfe7338b6cda8e
                            • Instruction Fuzzy Hash: 9C51C2726087009BE320DF64CC42BAB77E9FB84754F14451AF5899B291D778E904FB93
                            Function 00FBC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 00FF81E5
                            • minkernel\ntdll\ldrredirect.c, xrefs: 00FF8181, 00FF81F5
                            • LdrpInitializeImportRedirection, xrefs: 00FF8177, 00FF81EB
                            • Loading import redirection DLL: '%wZ', xrefs: 00FF8170
                            • LdrpInitializeProcess, xrefs: 00FBC6C4
                            • minkernel\ntdll\ldrinit.c, xrefs: 00FBC6C3
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-475462383
                            • Opcode ID: c0b33514ef5e43d8da6acf25d251aa4de844f8f764cf9d8742efe213c89cdefd
                            • Instruction ID: ca7df8437ea30dbc312c1cc1baa187392187bdde34b044516bd243f49dc7d1f7
                            • Opcode Fuzzy Hash: c0b33514ef5e43d8da6acf25d251aa4de844f8f764cf9d8742efe213c89cdefd
                            • Instruction Fuzzy Hash: C1311771B443059BD320EF28DD46E6B7795EF85B20F040518F985AB2E1DA28ED05EBA3
                            Function 00FB2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • RtlGetAssemblyStorageRoot, xrefs: 00FF2160, 00FF219A, 00FF21BA
                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 00FF2178
                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 00FF2180
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 00FF21BF
                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 00FF219F
                            • SXS: %s() passed the empty activation context, xrefs: 00FF2165
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                            • API String ID: 0-861424205
                            • Opcode ID: ca0c43aec1436922e815a707e6a67445655f597fab9b683b0f0caeb2a6fd0c3e
                            • Instruction ID: 317c8a95fd62f7d0161b0eec85455063e625d10b0e2aaffffd4f7ed083ad141d
                            • Opcode Fuzzy Hash: ca0c43aec1436922e815a707e6a67445655f597fab9b683b0f0caeb2a6fd0c3e
                            • Instruction Fuzzy Hash: 58316632F4032977E721AAA68C85FAF7778DF61B50F240058BB04A7191D670DE00FBA5
                            Function 00FC096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00FC2DF0: LdrInitializeThunk.NTDLL ref: 00FC2DFA
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC0BA3
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC0BB6
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC0D60
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC0D74
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                            • String ID:
                            • API String ID: 1404860816-0
                            • Opcode ID: a0f769cead387b0a1254890c0563b96791879448656c64a21eb8a76619d3da16
                            • Instruction ID: 15689586b78bf5407954d845d8204b49204d5809edd264bd9425a13fcc44b44b
                            • Opcode Fuzzy Hash: a0f769cead387b0a1254890c0563b96791879448656c64a21eb8a76619d3da16
                            • Instruction Fuzzy Hash: 39426972900719DFDB20CF24C981BAAB7F4BF04310F1445ADE999EB252DB74AA85DF60
                            Function 00F8A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                            • API String ID: 0-379654539
                            • Opcode ID: 3d833025f5e1a27ca9f0565573d78068f76a8755cc96c11ae33d09e209fec4c1
                            • Instruction ID: 832ba91d4d87caf19fc5f68d9e1340c9a08196550426ea422a10a5d3fb38fcf2
                            • Opcode Fuzzy Hash: 3d833025f5e1a27ca9f0565573d78068f76a8755cc96c11ae33d09e209fec4c1
                            • Instruction Fuzzy Hash: 13C1AD71508382CFEB21EF19C540BAAB7E4FF84714F14486AF8958B251E778CA49EB53
                            Function 00FB8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializeProcess, xrefs: 00FB8422
                            • @, xrefs: 00FB8591
                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00FB855E
                            • minkernel\ntdll\ldrinit.c, xrefs: 00FB8421
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1918872054
                            • Opcode ID: d161cd02f1a9bf7beafdea2faaf5a302bef336fef8193138fe109770caf5b8ac
                            • Instruction ID: 9bb42646eaa39d9fce4110889fa7d994b5106bfb988cb0681114bfc1e7bf9776
                            • Opcode Fuzzy Hash: d161cd02f1a9bf7beafdea2faaf5a302bef336fef8193138fe109770caf5b8ac
                            • Instruction Fuzzy Hash: 8F919C71508745AFD721EA21CC41FABB7ECFF84794F44092EFA8492051EA34E945EB62
                            Function 00FB273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 00FF21D9, 00FF22B1
                            • .Local, xrefs: 00FB28D8
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 00FF22B6
                            • SXS: %s() passed the empty activation context, xrefs: 00FF21DE
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                            • API String ID: 0-1239276146
                            • Opcode ID: b8039ea6ceb3a0ed827188555d0599e2162b364ecd3af1e3196770feaf3660c9
                            • Instruction ID: 1226be3d69d1e2ecf7f045950e234fcf58494ee87ff6e6ca7b29f6d5ae286b6e
                            • Opcode Fuzzy Hash: b8039ea6ceb3a0ed827188555d0599e2162b364ecd3af1e3196770feaf3660c9
                            • Instruction Fuzzy Hash: 95A19E35D002299BDB64DF65DC88BE9B3B1BF58324F2441EAD908AB251D7309E81EF90
                            Function 00FB4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            • RtlDeactivateActivationContext, xrefs: 00FF3425, 00FF3432, 00FF3451
                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 00FF3456
                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 00FF342A
                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 00FF3437
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                            • API String ID: 0-1245972979
                            • Opcode ID: 086301a7d517c8911070c76f9bc81f986dda9c4bc4c13402f85b0795c4db9797
                            • Instruction ID: 66f673bf7c3006cb16570113fd7ca73fac2a87201049e0e3c95a7d14214e8b7e
                            • Opcode Fuzzy Hash: 086301a7d517c8911070c76f9bc81f986dda9c4bc4c13402f85b0795c4db9797
                            • Instruction Fuzzy Hash: EF616672A00B119BC722CF19C942B7AB7E5EF90B60F148119F9559B291CB34FD00EB91
                            Function 00F864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00FE0FE5
                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00FE1028
                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00FE10AE
                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00FE106B
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                            • API String ID: 0-1468400865
                            • Opcode ID: f0c0f92bda1d6415eed5796a78fde45123e2e66f5baf66299da404ca761764e6
                            • Instruction ID: 29065b7cf988168f796338a4c4be85048c42129196d35961de8de613b1603829
                            • Opcode Fuzzy Hash: f0c0f92bda1d6415eed5796a78fde45123e2e66f5baf66299da404ca761764e6
                            • Instruction Fuzzy Hash: 3171E1B19043459FCB20EF14C885F977FA8EF94760F040469F9488B286D778D588EBD2
                            Function 00FA245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            • LdrpDynamicShimModule, xrefs: 00FEA998
                            • minkernel\ntdll\ldrinit.c, xrefs: 00FEA9A2
                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00FEA992
                            • apphelp.dll, xrefs: 00FA2462
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-176724104
                            • Opcode ID: 3fcb0f0d09495c2f07e8dd5536ec29a47ff69bced627530df4e868e6b246c24d
                            • Instruction ID: 086cc97cc66c10a5105f1231626b499ac1cd1dbab65d2dffb272bce21f74fce4
                            • Opcode Fuzzy Hash: 3fcb0f0d09495c2f07e8dd5536ec29a47ff69bced627530df4e868e6b246c24d
                            • Instruction Fuzzy Hash: 62312A72E00341EBEB30DF599841AAEB7B4FB84B14F264029F841BB255C779AD41F782
                            Function 00F929A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                            Download Yara Rule
                            Strings
                            • HEAP: , xrefs: 00F93264
                            • HEAP[%wZ]: , xrefs: 00F93255
                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00F9327D
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                            • API String ID: 0-617086771
                            • Opcode ID: 6562bd9d2dc0cb3068d7fd81d7aa9d664f7cfa2546a2a510f7a6c246a67aeca3
                            • Instruction ID: a384a55945d23b5c462c7c0b2aa141af539350d08d1dbcbb8f889e0b9bc5dd76
                            • Opcode Fuzzy Hash: 6562bd9d2dc0cb3068d7fd81d7aa9d664f7cfa2546a2a510f7a6c246a67aeca3
                            • Instruction Fuzzy Hash: 8F92BC71E04249AFEF25CFA8C440BAEBBF1FF48314F188059E859AB251D735AA45EF50
                            Function 00F90770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-4253913091
                            • Opcode ID: 139f8b407f81b8fbc0d6caea7f17a16f7ba5d80b7e65a20bc4fd7324478f1290
                            • Instruction ID: f2f082c077051125eec1fdff511d2c6ee8db5f042c75bcb86b7fdf74162a023a
                            • Opcode Fuzzy Hash: 139f8b407f81b8fbc0d6caea7f17a16f7ba5d80b7e65a20bc4fd7324478f1290
                            • Instruction Fuzzy Hash: 9EF1CC31B00A46DFEB24CF69C880B6AB7B5FF45714F208168E5569B381DB34ED81EB91
                            Function 00FA6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: $@
                            • API String ID: 0-1077428164
                            • Opcode ID: 9268c22710b197d54e4789d2d8f79abba0761d9443bfc97cce72dd431416621f
                            • Instruction ID: dd7239d1f188d2a206fd6e4fbaff49c270d0ec813972d7bd45308ddb07aaffe3
                            • Opcode Fuzzy Hash: 9268c22710b197d54e4789d2d8f79abba0761d9443bfc97cce72dd431416621f
                            • Instruction Fuzzy Hash: 18C2B2B2A0C3819FDB25CF25C841BABB7E5AF89754F04892DF989C7241D734D805EB92
                            Function 00F7A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: FilterFullPath$UseFilter$\??\
                            • API String ID: 0-2779062949
                            • Opcode ID: 147aba2536a95c84014215819beac56c858b7e501ee9d589258c3d949f402d40
                            • Instruction ID: 492c0e3de28c4f2556d30ae6229318bedcc74056193d289330c35d7db6bd4c43
                            • Opcode Fuzzy Hash: 147aba2536a95c84014215819beac56c858b7e501ee9d589258c3d949f402d40
                            • Instruction Fuzzy Hash: A5A19C71D0022A9BDB31DF64CC89BEAB3B9EF44710F1541EAE908A7251DB359E84DF90
                            Function 00FA0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                            Download Yara Rule
                            Strings
                            • Failed to allocated memory for shimmed module list, xrefs: 00FEA10F
                            • LdrpCheckModule, xrefs: 00FEA117
                            • minkernel\ntdll\ldrinit.c, xrefs: 00FEA121
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-161242083
                            • Opcode ID: be31e1ba92717b78226207bf526d1bad642a96b9c8d59e83adaa1a619c131c61
                            • Instruction ID: 51f73519e1415aa8f4a392d9be8c85affa272b4986da1570007797f4106082ef
                            • Opcode Fuzzy Hash: be31e1ba92717b78226207bf526d1bad642a96b9c8d59e83adaa1a619c131c61
                            • Instruction Fuzzy Hash: 9671DFB1E002059FDB24DF68DD41BBEB7F4EB84724F14412DE842AB251EA39AD41EB51
                            Function 00F90A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-1334570610
                            • Opcode ID: 120936669d2c3b7a0628c888f8f40bcf01cab03b8e22551b4d04c6d4bc934c0f
                            • Instruction ID: 59e777c7993b6b09679c8b5ffd8e328410017e89ba79490caea72b837d9426f6
                            • Opcode Fuzzy Hash: 120936669d2c3b7a0628c888f8f40bcf01cab03b8e22551b4d04c6d4bc934c0f
                            • Instruction Fuzzy Hash: 8461D371600741DFEB28CF24C440B6ABBE2FF45714F24846AE599CF296DB74E841EB91
                            Function 00FBC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                            Download Yara Rule
                            Strings
                            • Failed to reallocate the system dirs string !, xrefs: 00FF82D7
                            • LdrpInitializePerUserWindowsDirectory, xrefs: 00FF82DE
                            • minkernel\ntdll\ldrinit.c, xrefs: 00FF82E8
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1783798831
                            • Opcode ID: 94d0241a9fa44e2ab8b5a429647dbf48768a80ad0a6154815ee5f66e78706d0a
                            • Instruction ID: ef60bc86a8ce6379c4a86d7ba43e4abf1dff1983411ec6fffedb411ee2a3d118
                            • Opcode Fuzzy Hash: 94d0241a9fa44e2ab8b5a429647dbf48768a80ad0a6154815ee5f66e78706d0a
                            • Instruction Fuzzy Hash: 14410371944304ABD720EB25DC45F9B77E8FF48760F10452AF984E72A1EB79D800AF92
                            Function 0103C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            • @, xrefs: 0103C1F1
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0103C1C5
                            • PreferredUILanguages, xrefs: 0103C212
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                            • API String ID: 0-2968386058
                            • Opcode ID: 1856fdae07842cd719d53b101b6f142e81cd833050187d50f66211dcef1b72e7
                            • Instruction ID: cc26c60e8a2a46cd15f9d44955bc8110906539e33dd6c7d364160a1db94acd31
                            • Opcode Fuzzy Hash: 1856fdae07842cd719d53b101b6f142e81cd833050187d50f66211dcef1b72e7
                            • Instruction Fuzzy Hash: 24416272A00219ABEF51DAD8CD41FEEBBFCAB84700F14416BEA49F7240D7749E449B50
                            Function 01014144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                            • API String ID: 0-1373925480
                            • Opcode ID: 1bdac2c32de439ac40ce26374b3746d56d2e7027d84df8de54ab013dc4867776
                            • Instruction ID: 5edfd63e8988ea07ccb7e01454b6d19a5791893951c590a8ad18db7ab9343206
                            • Opcode Fuzzy Hash: 1bdac2c32de439ac40ce26374b3746d56d2e7027d84df8de54ab013dc4867776
                            • Instruction Fuzzy Hash: C3411431A042588BEB22DBD8C840BEDBBF4FF45344F24049AE981EB7A6D7388941CB50
                            Function 01004755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrredirect.c, xrefs: 01004899
                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01004888
                            • LdrpCheckRedirection, xrefs: 0100488F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-3154609507
                            • Opcode ID: 5b15a1ebd8ff0728491ef157d3cfebf5f6bedd7596149543a951dd4717f862db
                            • Instruction ID: bb8b1dab0871242527eb950cd1e0d9d768010accb1fa6f6c212fcfe4d2c8549b
                            • Opcode Fuzzy Hash: 5b15a1ebd8ff0728491ef157d3cfebf5f6bedd7596149543a951dd4717f862db
                            • Instruction Fuzzy Hash: BC41D432A047518FEB63DE18D840A2A7BE4FF89650F050999EFC9D7291D331D900CB95
                            Function 00F90BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-2558761708
                            • Opcode ID: b539d858bf4b4a94de7a7e175f9ff5fc8c6a70eae5acec8bbce5adc2d439b60b
                            • Instruction ID: d0cac558f3a327d4ef140c274478fed32e13b56ca79fff86f16c0d768d2ed803
                            • Opcode Fuzzy Hash: b539d858bf4b4a94de7a7e175f9ff5fc8c6a70eae5acec8bbce5adc2d439b60b
                            • Instruction Fuzzy Hash: 38110631315981DFEB28DA15C861B75B3A4EF80B2AF24811AF50ACB291DB34DC84F751
                            Function 010020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            • Process initialization failed with status 0x%08lx, xrefs: 010020F3
                            • minkernel\ntdll\ldrinit.c, xrefs: 01002104
                            • LdrpInitializationFailure, xrefs: 010020FA
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2986994758
                            • Opcode ID: d3628c850ce23804fa28cc0c853e1b07e53919dbe9097dabc3a3446777f45471
                            • Instruction ID: db5cba32affeaeb4eef5154f852c353db868e03b1cbfcae4b47e19571e95711d
                            • Opcode Fuzzy Hash: d3628c850ce23804fa28cc0c853e1b07e53919dbe9097dabc3a3446777f45471
                            • Instruction Fuzzy Hash: 9DF0A435A40208ABF725E64C9C57FD577A8FB40B54F540065F7807B2C6D2B4A550EA92
                            Function 00F903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: #%u
                            • API String ID: 48624451-232158463
                            • Opcode ID: d90863a80e27dcfb16040e8fea5712107627f7fc8bafdae77c79a20f997eae4d
                            • Instruction ID: 57f02e40d55ceaa59b409971f35511bdeb3d323480a33eb2948a28b87ba0d55d
                            • Opcode Fuzzy Hash: d90863a80e27dcfb16040e8fea5712107627f7fc8bafdae77c79a20f997eae4d
                            • Instruction Fuzzy Hash: AC715C71E0014A9FDF01DFA9C991FAEB7F8AF48744F144069E905E7251EA38EE01DBA0
                            Function 00F8A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                            Download Yara Rule
                            Strings
                            • LdrResSearchResource Exit, xrefs: 00F8AA25
                            • LdrResSearchResource Enter, xrefs: 00F8AA13
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                            • API String ID: 0-4066393604
                            • Opcode ID: 1b42330faded48d4c029761319f9357b4694f533bde57435fb353b2eca2f72fe
                            • Instruction ID: 631167301d0a6a8c5e68185ae0cdf384f94710fbd866895c1cd5cd8f02ab6986
                            • Opcode Fuzzy Hash: 1b42330faded48d4c029761319f9357b4694f533bde57435fb353b2eca2f72fe
                            • Instruction Fuzzy Hash: BDE18F72E00259DFEB25EE99C984BEEB7B9EF54324F10402AE901E7250E738DD40EB51
                            Function 0104A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$`
                            • API String ID: 0-197956300
                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction ID: 8013cb0e65be14baeaa12bb6bc2e6bb9ecb4a326b710f40e5f2261f635bc46ce
                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction Fuzzy Hash: 02C1AEB13443429BEB25CE28C881B6BBBE5AFC8314F084A3DF6D68B291D775D505CB91
                            Function 00FFE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Legacy$UEFI
                            • API String ID: 2994545307-634100481
                            • Opcode ID: 01596b8895191c87c32cef3d37fffe286099462bb591939814c2386d3860bafd
                            • Instruction ID: a4186e28df77fbb695402c90f4456848eb332bd930a044528dcc670789aeac77
                            • Opcode Fuzzy Hash: 01596b8895191c87c32cef3d37fffe286099462bb591939814c2386d3860bafd
                            • Instruction Fuzzy Hash: E6613D72E402189FDB24EFA88941BBDBBB5FF44740F14406DE659EB2A1D731A900EB50
                            Function 010243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$MUI
                            • API String ID: 0-17815947
                            • Opcode ID: 0d6e8333c08de15a24506ddf5ecc08cb0374fb47723c74bd414e0cf3553a1bd4
                            • Instruction ID: 50655bd81fca8b6794946dec7e75ba0e9b88847bbcf52df4eca1cf3cb946f80c
                            • Opcode Fuzzy Hash: 0d6e8333c08de15a24506ddf5ecc08cb0374fb47723c74bd414e0cf3553a1bd4
                            • Instruction Fuzzy Hash: E35138B1E0062DAEDB11DFA8CC81EEEBBBCEB44754F100129E641E7281DB359A05CB60
                            Function 00F804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F8063D
                            • kLsE, xrefs: 00F80540
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                            • API String ID: 0-2547482624
                            • Opcode ID: dc1dcdcf96e3a64b81dcec669dfbbb33029349fde50678894b0035709e2e7382
                            • Instruction ID: 1073c142aed5a376dbe17be068ef2caad2291e7325b8bcfb6b238720cd6e24cf
                            • Opcode Fuzzy Hash: dc1dcdcf96e3a64b81dcec669dfbbb33029349fde50678894b0035709e2e7382
                            • Instruction Fuzzy Hash: 9951D071A047468FC764EF24C5406E7B7E4AF84310F48483EE9DA87241EB34E949DFA2
                            Function 00F8A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            • RtlpResUltimateFallbackInfo Exit, xrefs: 00F8A309
                            • RtlpResUltimateFallbackInfo Enter, xrefs: 00F8A2FB
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                            • API String ID: 0-2876891731
                            • Opcode ID: b9496237fdc292fed0ccb66b6955933c1dd368f0d948a590272e75214534eb02
                            • Instruction ID: 4f226738d691cf62e12cbafeba513e490ce21d2e35d9b7e5b6ed04985d7c61a4
                            • Opcode Fuzzy Hash: b9496237fdc292fed0ccb66b6955933c1dd368f0d948a590272e75214534eb02
                            • Instruction Fuzzy Hash: 7741C131A04689DBEB21DF59C840BAD77B4FF84710F2440AAE804DB2A1F776DD00EB51
                            Function 00FBA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Cleanup Group$Threadpool!
                            • API String ID: 2994545307-4008356553
                            • Opcode ID: 31a56ae6e97afac38c3b71b91eb3dcc2cfe0b6c55b0fa669642dc7dc9e07e9bf
                            • Instruction ID: 8506ad988624f4a26a5b280f0554a1d7d9b53b0e3c513c287a3ec462b0fad5fb
                            • Opcode Fuzzy Hash: 31a56ae6e97afac38c3b71b91eb3dcc2cfe0b6c55b0fa669642dc7dc9e07e9bf
                            • Instruction Fuzzy Hash: D101D1B2640B40AFE311DF14CD46F5677E8E754B16F048939B649C7190EB38E908EB46
                            Function 00F8C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: MUI
                            • API String ID: 0-1339004836
                            • Opcode ID: 769e841bf70663ef73da04b715096819af2de544148d32189867ecadccae9a6d
                            • Instruction ID: 78b25383908e4cf9e11248342db96d2ad0001ae43b35e08d2d003a4f6aa94cd5
                            • Opcode Fuzzy Hash: 769e841bf70663ef73da04b715096819af2de544148d32189867ecadccae9a6d
                            • Instruction Fuzzy Hash: ED824D75E002189FDB24EFA9C880BEDB7B5FF44710F14816AE859AB391D7349D41EB90
                            Function 01006420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 8bde723903f237b95ae413f6a76035e6de4bce507b4bdb54f138e6fb2b4d7813
                            • Instruction ID: 41cb786fb4d9bf520894e1f8bbda5b7c447bd7b36b10ba81932a8d1eae5045df
                            • Opcode Fuzzy Hash: 8bde723903f237b95ae413f6a76035e6de4bce507b4bdb54f138e6fb2b4d7813
                            • Instruction Fuzzy Hash: 749162B1900619AFEB22DB94CD85FAE7BB9EF09B50F100055F600BB191D776AD00DB60
                            Function 0102E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 3b71fdbceeceaf10857a70cc0ccdc2f9ebee005d8070e813395fd5b9bca13ba2
                            • Instruction ID: fa1bf9aa893b9ba0f6eac15f840469ab693994959f751219d3e5c563abc1a979
                            • Opcode Fuzzy Hash: 3b71fdbceeceaf10857a70cc0ccdc2f9ebee005d8070e813395fd5b9bca13ba2
                            • Instruction Fuzzy Hash: C491ED32940618BEEF22EBA4DC45FEFBBB9EF85740F100029F505A7251DB399905DB90
                            Function 00FBA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: GlobalTags
                            • API String ID: 0-1106856819
                            • Opcode ID: 9995b826d0b0c9a7e4980c78670c4c68711ae9349ac8563a0fc410044389df73
                            • Instruction ID: a9db38e2ba4cfda2bfea8091ea596397f490f5c98846ff4ccb80c500520ed1a6
                            • Opcode Fuzzy Hash: 9995b826d0b0c9a7e4980c78670c4c68711ae9349ac8563a0fc410044389df73
                            • Instruction Fuzzy Hash: 6A718E76E0020A9FDF28DF98C9916EDBBB1BF58754F24812EE505E7250DB358C41EB50
                            Function 01024978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: .mui
                            • API String ID: 0-1199573805
                            • Opcode ID: 2c0d210f39224863a0cc5e4c89915a4d13476a13e2a50981b3361ae252b6621a
                            • Instruction ID: fb98cafc616a24dc5dbbafea6825a736f127021e3c22d8b8bf9b190ec76fcc03
                            • Opcode Fuzzy Hash: 2c0d210f39224863a0cc5e4c89915a4d13476a13e2a50981b3361ae252b6621a
                            • Instruction Fuzzy Hash: DE517C72D002399BDF11DFA9D840AEEBBB4AF08B50F05416AFA55FB241D7789D01CBA4
                            Function 00F9E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: EXT-
                            • API String ID: 0-1948896318
                            • Opcode ID: e81ea86f8832ccdec8d01e33b6e9d6069c0126a4e85d90ffbf883d753e13a98c
                            • Instruction ID: 5cff195b5f0dec381beffda23a04087d9ea5429c652d59b1cad2791cea590842
                            • Opcode Fuzzy Hash: e81ea86f8832ccdec8d01e33b6e9d6069c0126a4e85d90ffbf883d753e13a98c
                            • Instruction Fuzzy Hash: BB41B572908301ABEB10DAB5C881B6BB7D8AF88B14F44092DF995D7181E778DD08E793
                            Function 00FFC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryHash
                            • API String ID: 0-2202222882
                            • Opcode ID: 04d772a07c228cb12e27ee0e0ee751fcc3ee362c7af690a0dad5acc080aaffa9
                            • Instruction ID: bd9fb0b6cd6758a4362ec9b636b6f51387f0ddac0e4baf3e0d24cfee676ac7bb
                            • Opcode Fuzzy Hash: 04d772a07c228cb12e27ee0e0ee751fcc3ee362c7af690a0dad5acc080aaffa9
                            • Instruction Fuzzy Hash: 2F4190B1D0023DAADB20DA60CD81FEEB77CAF44754F0045A5EB08AB151DB749E88DFA4
                            Function 01016B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: #
                            • API String ID: 0-1885708031
                            • Opcode ID: adb8760901a3b84315134374e84f4dd3f9bde5a990dfa0d2e0a0427e2f64fd7e
                            • Instruction ID: c3539647eaaaec001a7549d39e4ffb53662fb2fe7ec81350767a9692f96b668b
                            • Opcode Fuzzy Hash: adb8760901a3b84315134374e84f4dd3f9bde5a990dfa0d2e0a0427e2f64fd7e
                            • Instruction Fuzzy Hash: 54310B31A0060D9AEB22DB68CC50BFE77F4DF04704F144068E981AB282C7AEE845CB50
                            Function 00FFCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryName
                            • API String ID: 0-215506332
                            • Opcode ID: f66fdc2f4c2aaed5dbe8b0c536d8b587c67b53ac9360aa8d0d0a199f5cc604a7
                            • Instruction ID: 7ad17e704da241bdef4c2d3d7ae5b246558c8ff6b66e5929007af6a419597edf
                            • Opcode Fuzzy Hash: f66fdc2f4c2aaed5dbe8b0c536d8b587c67b53ac9360aa8d0d0a199f5cc604a7
                            • Instruction Fuzzy Hash: E131D43AD0052DAFEB15DB59CA56E7BB774EFC0720F114129AA05A72A1D7309E04E7E0
                            Function 0100892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            Strings
                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0100895E
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                            • API String ID: 0-702105204
                            • Opcode ID: 8ee79f93aab52fdf0b74ef7b8d09d4a5db7bae2d50e6512b243ee1dc712983b1
                            • Instruction ID: 9fedbe1288cc6b2a3321d2e95d70b320420cde6b98b68189117935067d863e77
                            • Opcode Fuzzy Hash: 8ee79f93aab52fdf0b74ef7b8d09d4a5db7bae2d50e6512b243ee1dc712983b1
                            • Instruction Fuzzy Hash: 4001F731B002019BF6267A59DC84A9A7BA5FF86354F09002EF6C1165D2CF25AC41C797
                            Function 01022000 Relevance: .8, Instructions: 757COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73b19cfdd08ba096110d0ef5005c5ee702e8555a5e224a91a38fcd35fede0f8f
                            • Instruction ID: c54128e7c78c0f2289e171499111e11831cc86dde2f36dbd0d23508be548d29a
                            • Opcode Fuzzy Hash: 73b19cfdd08ba096110d0ef5005c5ee702e8555a5e224a91a38fcd35fede0f8f
                            • Instruction Fuzzy Hash: CF42F3326083619FE765CFA8C890A6FBBE5BF88300F08496DFAC297251D771D945CB52
                            Function 01018158 Relevance: .6, Instructions: 617COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b8f75d0730651432b499b6d230134cd406387dced2631c96a5680eb1afbcf2b
                            • Instruction ID: a71b59fd1d0d25e5215d98857a7e368fdf9aefc9ee8d79692449f06263dfcb31
                            • Opcode Fuzzy Hash: 8b8f75d0730651432b499b6d230134cd406387dced2631c96a5680eb1afbcf2b
                            • Instruction Fuzzy Hash: E2424175E002198FEB65CF59C841BADBBF5BF48300F14C19AE989EB245DB389A85CF50
                            Function 00F92840 Relevance: .6, Instructions: 605COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 24358a64819b4ddc106d178a5294110664343baa8990adb476b94c1ef4261b10
                            • Instruction ID: d342debf38727d10c4a1dd096ac31642c36142d4026d4088ce86f5ad966b3cae
                            • Opcode Fuzzy Hash: 24358a64819b4ddc106d178a5294110664343baa8990adb476b94c1ef4261b10
                            • Instruction Fuzzy Hash: 2B32D070A007999BDB24CF6AC8447BEBBF2BFA4354F24411DD486DB285DB35AD02EB50
                            Function 0102A118 Relevance: .6, Instructions: 591COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d49ea98ffee173a90bb83c99087937845ee1cc5d85addba60c4d9f29704526a5
                            • Instruction ID: 9f7ef831d797f55fe5ac2fb8199819efd00a56e8aaed806c45cae395b8ce6970
                            • Opcode Fuzzy Hash: d49ea98ffee173a90bb83c99087937845ee1cc5d85addba60c4d9f29704526a5
                            • Instruction Fuzzy Hash: 7F22BC70704671CBEB65CF2DC494376BBE1AF49304F18849AE9C68BA86DB35E446CB60
                            Function 00F86A50 Relevance: .5, Instructions: 548COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b24f816d78183e9322673abaef0b52ddd5938542bb3cd3678582074dc97e689
                            • Instruction ID: d3e7d99c46322993907d1f660603a5f3d2a14ef57009a8a5d9de81b93058ff73
                            • Opcode Fuzzy Hash: 6b24f816d78183e9322673abaef0b52ddd5938542bb3cd3678582074dc97e689
                            • Instruction Fuzzy Hash: 3B328B71A01245CFDB24DFA9C880BAAB7F1FF88314F248569E956EB391D734AC41EB50
                            Function 00FA4A35 Relevance: .4, Instructions: 423COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                            • Instruction ID: c3eb9b4459f57d8da772eac8139ebb03d028197f38e700ac1167924a4506b3bf
                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                            • Instruction Fuzzy Hash: 63F172B1E016199BDF14CF95C980BAEB7F5BF89720F148129E905AB340E774ED42EB60
                            Function 0101892B Relevance: .4, Instructions: 386COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20bf6546ca05ad7e15c6d9cdff842c4594b2b0822ca29144273ab32dd7461d7c
                            • Instruction ID: 27e3c0bb63a89d88889cc4e1cea594f58e4dc69431129dc01e57cfccabc77d5a
                            • Opcode Fuzzy Hash: 20bf6546ca05ad7e15c6d9cdff842c4594b2b0822ca29144273ab32dd7461d7c
                            • Instruction Fuzzy Hash: 1AD1E372A006098BDF15CF58C881AFEB7F6BF88304F18C16AD995A7245D739EA05CB50
                            Function 00F865D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2937c9889ed8e226fb18d092e8a15d0866e17b2e1b1c059106fa30c86d3ecbb0
                            • Instruction ID: 97ccfe8ffbcc402a79be287c79a96a92854f51cc4c9993c3d951bfb71943eb78
                            • Opcode Fuzzy Hash: 2937c9889ed8e226fb18d092e8a15d0866e17b2e1b1c059106fa30c86d3ecbb0
                            • Instruction Fuzzy Hash: C2E18D71908341CFC714DF28C490AAABBE0FF99318F15896DE999CB351EB31E905DB92
                            Function 00F78397 Relevance: .4, Instructions: 380COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9138b6a43a0c6e92dcf906e9bea98b4befa1fc6e9d5e51bc29ae4b3019c3763
                            • Instruction ID: a95726890586cbe014426b0ea8dacd73a5ff769ebc5b0f9933a3647e3803bd57
                            • Opcode Fuzzy Hash: a9138b6a43a0c6e92dcf906e9bea98b4befa1fc6e9d5e51bc29ae4b3019c3763
                            • Instruction Fuzzy Hash: 6DD1F572A40206DBCB14DF24CC85BBE73A5BF44354F19862BF91ADB281EB34D942EB51
                            Function 01008243 Relevance: .3, Instructions: 322COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                            • Instruction ID: c58e90b9ba159efec749919bd1a93542d064b923191eca2fe302164951a97c03
                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                            • Instruction Fuzzy Hash: 82B16374E006059FEF66DF59C940AEBBBF9BF84304F10846EAA82977D1DA35E905CB10
                            Function 00F90535 Relevance: .3, Instructions: 300COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction ID: 8c04a02c0d77efb512e1641c06ab9d1de8e3c272756a1a6817cccc42fde78d93
                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction Fuzzy Hash: 12B12832A00686AFEF11CBA5C850BBEB7F6AF84710F254169E552D7281DB34ED41FB90
                            Function 00F883C0 Relevance: .3, Instructions: 281COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7e57a4b01d5540bf0c490d7ecc01adca533218abb409f60dc80b0dad4ad8b10f
                            • Instruction ID: f223e48c4314749a8d21978391ae36dc92d593c622972de517a3d568699c2578
                            • Opcode Fuzzy Hash: 7e57a4b01d5540bf0c490d7ecc01adca533218abb409f60dc80b0dad4ad8b10f
                            • Instruction Fuzzy Hash: 8DC19974508381CFD760DF19C884BABB7E4BF88354F44492DE9898B290DB74E909DF92
                            Function 00F7C427 Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba1b7af42d2d81d7d4d97eb313d43ab7ff83fefbf78f177e329c88ce46779ef3
                            • Instruction ID: 3d9eaf8a667e47d26422df6ab9b2798f9ef106b028c75a8863f26492f0ff2683
                            • Opcode Fuzzy Hash: ba1b7af42d2d81d7d4d97eb313d43ab7ff83fefbf78f177e329c88ce46779ef3
                            • Instruction Fuzzy Hash: E4B17070A002658BDB24CF54C890BA9B3B2AF44710F14C5EED44EE7281EB35AD85DB66
                            Function 00FAE5E7 Relevance: .3, Instructions: 278COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a26319c8e6149d4ca780324481346f08d68e61925358adb97fe411b61c981c7f
                            • Instruction ID: 2f2c415865c2158f1bffab5cc46da46c4b61e34d9a7477aa2d565b09f0bd214f
                            • Opcode Fuzzy Hash: a26319c8e6149d4ca780324481346f08d68e61925358adb97fe411b61c981c7f
                            • Instruction Fuzzy Hash: 76A15772E006999FEB21DB59CC44FAEB7B4EF06720F240125E950AB2D0D7789D44EBD1
                            Function 00FC0185 Relevance: .3, Instructions: 276COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a8253b0a9ae35157b9586811c3cef498b5d77e363430fd12d44126ccc85d3dd
                            • Instruction ID: b7ab50989cc4c6949b6b1fea41b5270964ded22ff2bcdee583a0e8b53dedef86
                            • Opcode Fuzzy Hash: 7a8253b0a9ae35157b9586811c3cef498b5d77e363430fd12d44126ccc85d3dd
                            • Instruction Fuzzy Hash: 5CA1B171F0061ADBDB24DF65CA92BBAB3A1FF54324F10402DEA45D7291DB78E812EB50
                            Function 01054500 Relevance: .3, Instructions: 275COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82aaf07225bd34b8ceaef46bb3356803558925780d0242b08eaeb65fb231a503
                            • Instruction ID: e4946dee29a1c64f3eb64e01393065cd0c9b87585b75b727af70b0891040828d
                            • Opcode Fuzzy Hash: 82aaf07225bd34b8ceaef46bb3356803558925780d0242b08eaeb65fb231a503
                            • Instruction Fuzzy Hash: 66A10172900601AFD791DF18CD81BAABBE9FF48704F450568F985DB212E335ED40CB91
                            Function 01052B57 Relevance: .3, Instructions: 266COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                            • Instruction ID: 9eb7a1fd8a21b63f0fd482cbed3fcee7b75395c8ea05453051b7fddb6fc45e57
                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                            • Instruction Fuzzy Hash: 56B15B71E0061ADFDF99DFA9C880AAEBBF5FF48310F148169E954A7351D730A941CBA0
                            Function 010060E0 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10342134a7db4460c9fcc306e47befb3e15fdd75a43e4b749730b134af0d38ad
                            • Instruction ID: 88238ffe5f85c909e249c580a54fbb6e0ce12cd4ea0522afd47d5107700b19fd
                            • Opcode Fuzzy Hash: 10342134a7db4460c9fcc306e47befb3e15fdd75a43e4b749730b134af0d38ad
                            • Instruction Fuzzy Hash: 8291C471D00615AFEF16CFA8DC90BBEBBB6AF48710F144169E640EB381D776D9109BA0
                            Function 00F9E3F0 Relevance: .3, Instructions: 261COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9a36348444806c0a7be3d0933dd3af5da1bdf994fb9d2492bc079a679a136120
                            • Instruction ID: d536442a8a7d95c857fac687da16333747ebddaae58ce53a423f30a0ef5e0585
                            • Opcode Fuzzy Hash: 9a36348444806c0a7be3d0933dd3af5da1bdf994fb9d2492bc079a679a136120
                            • Instruction Fuzzy Hash: C8915636E00655DBFF24DB29C840BBE77A1EF84724F194069E805DB391E638DD01E761
                            Function 00FD6ACC Relevance: .2, Instructions: 226COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f4e030abf7a2e265e07850b809b349c8662e7663d1ddab0ffe4297c069249f0
                            • Instruction ID: 8560207261036eed68d390297885b9d42473ee29625d93da47b376f505048ee2
                            • Opcode Fuzzy Hash: 4f4e030abf7a2e265e07850b809b349c8662e7663d1ddab0ffe4297c069249f0
                            • Instruction Fuzzy Hash: 7E81A071A0061A9BDB18CF69D941ABEBBFAFB48710F04852FE445E7740E734E940DBA4
                            Function 0104AB40 Relevance: .2, Instructions: 222COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                            • Instruction ID: 15cfcd3223a2702d237f91a712bf24101bcb6c7aa8f529486fb25f6e94fb5532
                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                            • Instruction Fuzzy Hash: 128170B1B00209DFDF59DF98C880AAEBBF6AF88310F188569D9969B345D734E901CB54
                            Function 00FBE284 Relevance: .2, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b02aa19d6969a6bf39be5a8a9b0205bfede0adf396b27aa9ce761f1ed20a21f
                            • Instruction ID: 4b63846b76685c0a468c598255848e97dbad782947fe6529677c9409129378fe
                            • Opcode Fuzzy Hash: 6b02aa19d6969a6bf39be5a8a9b0205bfede0adf396b27aa9ce761f1ed20a21f
                            • Instruction Fuzzy Hash: 0A815C71E00609AFDB25CFA5C880BEEBBFAFF48354F144429E556A7250DB70AC45EB60
                            Function 00F9C640 Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e0329df37acf73327a344144a25423547e45c5114a2aea804c1283e8313c50a
                            • Instruction ID: dff8fba94d6dca6d4a4cf513e24e9fc4de68b0380898b8a4b7ad7b893743e3a8
                            • Opcode Fuzzy Hash: 1e0329df37acf73327a344144a25423547e45c5114a2aea804c1283e8313c50a
                            • Instruction Fuzzy Hash: 3C71FF75C006A5DBDB25DF99C8907BEBBB4FF58710F24411AE846AB390D7359801EBE0
                            Function 010347A0 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73b8c380fccbacfd2f5042fb84e90c0c82c54d486b24921ae9dcc822bf03a3ad
                            • Instruction ID: 34a70315eba1b4e1ba758dcf885eb1c214c8499743bbaf0a35c0e5d331bfde42
                            • Opcode Fuzzy Hash: 73b8c380fccbacfd2f5042fb84e90c0c82c54d486b24921ae9dcc822bf03a3ad
                            • Instruction Fuzzy Hash: B87190B0D00A05EFEB60DF99DA45A9ABBF8EBC1300F01419AE685EB259C7368945CB54
                            Function 00F9260B Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f94a39c821e04d500da1cf5ef743fb8c610ea0aad80494b088141f88bab456ac
                            • Instruction ID: 6d4c90242d48da8bed49ad3365f643285200f4052b5ede8d60ee4b8132f1a8c8
                            • Opcode Fuzzy Hash: f94a39c821e04d500da1cf5ef743fb8c610ea0aad80494b088141f88bab456ac
                            • Instruction Fuzzy Hash: 94711675A046429FD751DF28C480B6AB7E5FF84310F0485AAF898CB752DB38DC46DB92
                            Function 0100035C Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction ID: 19ca02020dbbf897689d0d91cea97ff4b81d53e1d4e57b4e70a18bf5f3b9a801
                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction Fuzzy Hash: CD716A71A00609AFEB11DFA9C984FEEBBF8FF48744F104569E545A7291DB34EA01CB90
                            Function 010162A0 Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04b63dff36fe07926080637690017815084d78f492518ff36c2d110e3281446a
                            • Instruction ID: 53547fc8456b7b1b441d18c4c96e83a599c77244b22e88fd22f190a069af0541
                            • Opcode Fuzzy Hash: 04b63dff36fe07926080637690017815084d78f492518ff36c2d110e3281446a
                            • Instruction Fuzzy Hash: 7A712732140B01AFEB32DF18CC41F5ABBE6FF44710F108418E296972A5DBBAE944DB50
                            Function 00F88AA0 Relevance: .2, Instructions: 197COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3cb79ca6036b93ce8628c09d32806229cffda2d9a9ee984d491776c3bf658a19
                            • Instruction ID: 6b78de8b9f1ec56dd1979f05b8210dee83a805cc8f7938fe4589613075c70524
                            • Opcode Fuzzy Hash: 3cb79ca6036b93ce8628c09d32806229cffda2d9a9ee984d491776c3bf658a19
                            • Instruction Fuzzy Hash: 2181DE72E04345CFDB24DF99D484BAEB3B5BF88320F654129D900BB291EB799D41EB90
                            Function 01058324 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c566170cfebdf9d3ef4c93d84089f42845938c0a62230158c29d3442487f8d9d
                            • Instruction ID: 2a79172dc8fe0d4af669e064635fdaac74047ca8548663c95516e18cd14a0062
                            • Opcode Fuzzy Hash: c566170cfebdf9d3ef4c93d84089f42845938c0a62230158c29d3442487f8d9d
                            • Instruction Fuzzy Hash: 0A711A71E00209AFDB55DF95CC81FEFBBB8EB04350F10816AEA55A6291DB74AA05CB90
                            Function 0103A250 Relevance: .2, Instructions: 184COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90d5ac45d2a3c9879b078bc240f9334e25ab3da2f8552a5f11a7b0ff4b9a982c
                            • Instruction ID: 40ab1a8c11c0166457973c5c0995e07376420c7c4f1cd0f142ade25af026d320
                            • Opcode Fuzzy Hash: 90d5ac45d2a3c9879b078bc240f9334e25ab3da2f8552a5f11a7b0ff4b9a982c
                            • Instruction Fuzzy Hash: D051AD72A04612EFD712DA68C884F5BB7ECEBC9750F004929BAC0DB150EB75ED0587A2
                            Function 01028350 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb9ec42a0ed35c8d99961aa624a237bf8b6aa5b04db63eb0d490ef4d118bc6c0
                            • Instruction ID: c4fd2f35f4721d94e863bb111fc79deb0c7233ab70d462bf13ebaaaa8d80dac4
                            • Opcode Fuzzy Hash: bb9ec42a0ed35c8d99961aa624a237bf8b6aa5b04db63eb0d490ef4d118bc6c0
                            • Instruction Fuzzy Hash: 6951C174900715DFD721CF5AC880AABFBF8BF94710F10861FE296576A1CBB0A945CB90
                            Function 00FBE443 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d4f6ebdec7f1c2f5d57c00be818fd0d3eea399b5416639af1a9ed8ffeeb138c
                            • Instruction ID: e6e54166da023bdac1654de7c13b225bb3c655accda1aeb9d0dd2ba9ee1dfc22
                            • Opcode Fuzzy Hash: 6d4f6ebdec7f1c2f5d57c00be818fd0d3eea399b5416639af1a9ed8ffeeb138c
                            • Instruction Fuzzy Hash: 5E516771600A09EFDB21EF65C980FAAB3E9FF04794F50046AE646D7261D738AE40EB50
                            Function 01024180 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 338af46dc57fc74771ea665bee46fe17c72b65ae35fdfed1a59c31c7ded37600
                            • Instruction ID: 2fce2576493740b17a9f21ea8bc6c1a693b7dc2532d09beda6bc99cd4f908c5f
                            • Opcode Fuzzy Hash: 338af46dc57fc74771ea665bee46fe17c72b65ae35fdfed1a59c31c7ded37600
                            • Instruction Fuzzy Hash: 7E5166716083129FD750DF29C881A6BBBE5BFC8708F44892DF589C7250EB34D905CB96
                            Function 00FA45B1 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction ID: b766bf7da317b7391c21c5af574f484bba9d1a617bfc10cbf6ac8acf631c7d8d
                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction Fuzzy Hash: 9F51CEB5E0025AABCF15DF94C841BEFBBB9AF86710F044069E900AB240D774EE44DBA0
                            Function 0100E9E0 Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                            • Instruction ID: 5470576e78d41314900a17e098439a8c168914b32c54627a6878a8852c71b7a6
                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                            • Instruction Fuzzy Hash: BC51C771D00A09EFFF229A94CC81FAFBBB4AB04324F154A69E652771D1D7349E40C7A0
                            Function 01048B28 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7d28a7bc7f114c32c30f1f3eb10c6d22f87e39f84b74c6c916b3e6a5c1df362
                            • Instruction ID: b16f7a00df47c1df96ed731d38d29dac06efc5701ba4aaee152199894b855aff
                            • Opcode Fuzzy Hash: c7d28a7bc7f114c32c30f1f3eb10c6d22f87e39f84b74c6c916b3e6a5c1df362
                            • Instruction Fuzzy Hash: 9441E5F07016159FE669DB6DC8D4B7BBBDAEF80220F04C97AEAD587280DB34D841C691
                            Function 0100CBF0 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08966c8edee719bb76cbdcee42ae955d0c1a963c4f2ae3a61fb98e1b13ae40d1
                            • Instruction ID: 00a38544ea35ba98dc00df25fd330050335fbd50fd2d4f0da274dbfc5f0440ad
                            • Opcode Fuzzy Hash: 08966c8edee719bb76cbdcee42ae955d0c1a963c4f2ae3a61fb98e1b13ae40d1
                            • Instruction Fuzzy Hash: 5351BF71900219DFFB61DFA8CA8099EBBF5FB48314F54469AE586A3341D735AA01CF90
                            Function 00FBA430 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff05437168a664d391a2e802f4acbda3700647c7427252baa65f4eb22f2fc7a5
                            • Instruction ID: 75fb32a69d2abf7bbf51762e778078a29447557c6eb8513e4a7847e4cf6e6b65
                            • Opcode Fuzzy Hash: ff05437168a664d391a2e802f4acbda3700647c7427252baa65f4eb22f2fc7a5
                            • Instruction Fuzzy Hash: 3D41FC71E402059BDB24FF669C92BBA3765AB44728F05002DFD42EF261DB7A9C01AF51
                            Function 0104A9D3 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                            • Instruction ID: c1e94f01662c61da44176a6c3812e653948a8ba142d1425feff9eae69548bee6
                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                            • Instruction Fuzzy Hash: 6641F5B1745606EFDB25CE58C8C0A6AB7E9FF84210B05867EE9928B241EB30EC14C7D0
                            Function 00FB01F8 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b4fe8208d7b42131f7dc74ab41901409b47c4deeb36d21b7ef566bfde36de9b
                            • Instruction ID: 91d2b186d34b0d3511a2f90c3f7089cd5403d28ff0c5d0b0034d944130419e37
                            • Opcode Fuzzy Hash: 9b4fe8208d7b42131f7dc74ab41901409b47c4deeb36d21b7ef566bfde36de9b
                            • Instruction Fuzzy Hash: F241BD36D00219DBDB10DF9AC840AEEB7B5BF48710F18816EE819F7250EB349D45EBA4
                            Function 00FAEBFC Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 709ada0dc8538813e915c3008ed90542f16f082c5baaf42d154713de135f1b9c
                            • Instruction ID: 8bb5e93764fdaf668133922d8c575b800a292fc3a1f99c8451c7c1a1aefafa39
                            • Opcode Fuzzy Hash: 709ada0dc8538813e915c3008ed90542f16f082c5baaf42d154713de135f1b9c
                            • Instruction Fuzzy Hash: 5941B3B26047419FDB20DF25C880A1BB7E9FF89324F154939E556C7211EB35E848EB51
                            Function 00FC2750 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction ID: f04ba93de1aa63a072e312f4b435e47ea0ba644cca84d8a4c8b09f0c515de61b
                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction Fuzzy Hash: 715139B5E002198FCB14CF98C580AADF7B2FF84720F2481A9D959A7360D770AE41DB91
                            Function 00F86154 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c79a98f29c7f829d17282e2b1d08a586c8ceb6de61d55d0ba79166413454d01b
                            • Instruction ID: 15ba4703bd9b3f8c72b9a301a31a42723c6d6722c7b964783f457aaebe8b7e07
                            • Opcode Fuzzy Hash: c79a98f29c7f829d17282e2b1d08a586c8ceb6de61d55d0ba79166413454d01b
                            • Instruction Fuzzy Hash: 0B510370D005469BDF25DB68CC01BE8B7A1EB15324F1482E9E429A72C2DB799D81EF40
                            Function 00F80BCD Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8bca57fb9f17082a494cb2902eff2e962725f4de70d36ef10fe52854d2c8038d
                            • Instruction ID: 15281e15d739845a762f0b00c75320b965c328cb99f65203119ad4d2b79902f5
                            • Opcode Fuzzy Hash: 8bca57fb9f17082a494cb2902eff2e962725f4de70d36ef10fe52854d2c8038d
                            • Instruction Fuzzy Hash: 1541B132E002289BDF61EF64CD41BEE77B5AF45750F4501A6E908AB241DB38DE84EB91
                            Function 0104866E Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction ID: 44eaef647d00130173db11d498d6c747000ebf7e8bf712a1378594eff0215731
                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction Fuzzy Hash: 0A4195B5B00105ABEB55DFD9CCD4AAFBBFABF89640F1484BAE584A7341D670DD008750
                            Function 00F80887 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5343ace0845200c0135013459291d9403ff4565e43477005e86d7ed5fd07d5d7
                            • Instruction ID: 00acb5a8b69760e1f8ded1425646d1407eb6c8408955598855c1fa1ef57f8e76
                            • Opcode Fuzzy Hash: 5343ace0845200c0135013459291d9403ff4565e43477005e86d7ed5fd07d5d7
                            • Instruction Fuzzy Hash: F54107716007019FE764EF24C880A66B7F5FF48314B944A6DE44787752EB34F849EB90
                            Function 00FAA470 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c024d2ddff3bf0d866ecc1216caee17d5e5cb22a3319d3b2579f1c8757623fb6
                            • Instruction ID: 259a0562c4f1861b8716bcbcc9b7ee7d0a3cf37593c331e9a8ff9e54d3db1148
                            • Opcode Fuzzy Hash: c024d2ddff3bf0d866ecc1216caee17d5e5cb22a3319d3b2579f1c8757623fb6
                            • Instruction Fuzzy Hash: 6C41D072E40244CFDF25DF68D8947AE77B0FB0A320F18019AE411BB291DB399D44EBA5
                            Function 00F88BF0 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31e8d64fb212d4e0719fe6bfbabf5af818d5b9773f3a23883dfb7705b50a654d
                            • Instruction ID: d27673f57c15aa5a08faf74799bfc47cddf0dc71d2f0247f52522964064ce924
                            • Opcode Fuzzy Hash: 31e8d64fb212d4e0719fe6bfbabf5af818d5b9773f3a23883dfb7705b50a654d
                            • Instruction Fuzzy Hash: E8412732D00201CFC724EF49C841B9AB7B5FB85754F64812AE401AB65ADB7ADC42EFA0
                            Function 00F78918 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b83e137e9b98b9abd679deec131c4d91565351602f5d50ad4dbc9d6aed351454
                            • Instruction ID: 2177a19057050cfc49574fd4571f38d2a2b02550d27d318d30fa59a0e2772f36
                            • Opcode Fuzzy Hash: b83e137e9b98b9abd679deec131c4d91565351602f5d50ad4dbc9d6aed351454
                            • Instruction Fuzzy Hash: 54418F725087069FD311DF64C841A6BB6F9AF84B94F41492BF984D7250EB30DE05AB93
                            Function 00F7A020 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction ID: ae725ea82abed7f3e00aa9ee1a1ec4840d21123bf79876778d71e64a83db5bce
                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction Fuzzy Hash: DB41F632E04211DBDB10DF9588447BEB762EB90764F2BC46BA8499B340D7359D40BB93
                            Function 00F809AD Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3883d80c7d8e10eb1d83ae44746d8f409b8febf63a4657e5e707e22a1e5063b6
                            • Instruction ID: 904df0b198ec10fb9ad60d9b33ff92e6af7c3f072f3824919764145c183056e2
                            • Opcode Fuzzy Hash: 3883d80c7d8e10eb1d83ae44746d8f409b8febf63a4657e5e707e22a1e5063b6
                            • Instruction Fuzzy Hash: BD41AA71A00700EFD764EF18C841B66B7E5FF48720F64852AE449CB252EB35ED46DB80
                            Function 00FB0710 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction ID: 5ea03840d1294904aeb049fb3466bd014b9681c00edd7007ffb2b18e7ec201ab
                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction Fuzzy Hash: 58414675A00705EFDB24CF9AC980AAAB7F5FF08710B20496DE156D7290DB30EA44EF90
                            Function 00F8262C Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc6b34ddb496930db8b668b16a0137a2b9bb0fe1b6e48c60414e1604e2c7ca36
                            • Instruction ID: f955d6554c41ab422001d411024725ddec8d4832f1ee0e6fcf52b419c26415b8
                            • Opcode Fuzzy Hash: cc6b34ddb496930db8b668b16a0137a2b9bb0fe1b6e48c60414e1604e2c7ca36
                            • Instruction Fuzzy Hash: 8341D2B1901700DFDBA1FF29C901B99B7F2FF44320F1482AAD4569B2A1EB34A941EF51
                            Function 00FBC8F9 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 602550e96168053e3ad26665a0a6675e011dee6c49e0347f2dd05ef04010dedc
                            • Instruction ID: 629d054f368bbb57005dbd8aa2966871816581c2563f11c594948b5e7beae336
                            • Opcode Fuzzy Hash: 602550e96168053e3ad26665a0a6675e011dee6c49e0347f2dd05ef04010dedc
                            • Instruction Fuzzy Hash: 9A318CB1A00745DFEB51DF58C44079ABBF4FF09724F2081AAE519EB251D7369902DF90
                            Function 010007C3 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1873fc043b067fa7b81238efdea0efbab69ac84005c1e1bc92cf5111a8d1582
                            • Instruction ID: 42795917093fe82db64f0bba1b171c4df5724082f72e6f4b13909eb3c45326d7
                            • Opcode Fuzzy Hash: f1873fc043b067fa7b81238efdea0efbab69ac84005c1e1bc92cf5111a8d1582
                            • Instruction Fuzzy Hash: CB418D719083019BE361DF28C845B9BBBE8FF88754F004A2EF5D8D7291D7749905DB92
                            Function 00F780A0 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 697408589ce093dab862e66384e866b8e6928862b6da1e77c33ff4dba9299310
                            • Instruction ID: 68812a854207ce461f57ee25b3449885b0ce78016463936ddf3f04ba0d3125fa
                            • Opcode Fuzzy Hash: 697408589ce093dab862e66384e866b8e6928862b6da1e77c33ff4dba9299310
                            • Instruction Fuzzy Hash: BB41D072E45615EFCB00DF14CC44AA8B7B1BF447A0F64C22BE819A7281DB74ED43AB91
                            Function 010005A7 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02ded6988eb5f281a0ea81343da11a59b8170df986cd8eb73664ea423fd042a0
                            • Instruction ID: 1949e7da094b068a9fc63f95f1031c21f3d4d17293e2f95411b0a30e3a474986
                            • Opcode Fuzzy Hash: 02ded6988eb5f281a0ea81343da11a59b8170df986cd8eb73664ea423fd042a0
                            • Instruction Fuzzy Hash: 2641E1726046429FE321DF68CC40BAAB7E9FFC8740F144A2DF99497684E734E904C7A6
                            Function 00F84859 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9644b44a4e35148ac19364df5ece549d5d4baf0263182082f387bbde339b35f5
                            • Instruction ID: 5f64f21175c01355a75ed9b6c5c7e39320f5348c2d23242664c736fdee2b9155
                            • Opcode Fuzzy Hash: 9644b44a4e35148ac19364df5ece549d5d4baf0263182082f387bbde339b35f5
                            • Instruction Fuzzy Hash: AA41D331A003028BDB35EF28D884B6BB7E9EF80364F15442DF5958B291DB39ED41EB51
                            Function 00F78B50 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b67ae76e86f84cf27cdcae329108e861ffddda68229792a86f9e534446fe993
                            • Instruction ID: ceb070bcab0520b82cfbce18e96803f4941f39ba26aaae69386f459858811f4e
                            • Opcode Fuzzy Hash: 0b67ae76e86f84cf27cdcae329108e861ffddda68229792a86f9e534446fe993
                            • Instruction Fuzzy Hash: 9041A272E41204CFCB15DF69C98499DB7F2FF88360B24C62BD45AA7250DB349902EB51
                            Function 00F902E1 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction ID: 4dccde6e999488bdff676717c7af90a22e98984c19d08658ba06397be9e9702e
                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction Fuzzy Hash: FA312532A01244AFEF219B79CC44FDEBBE8AF04350F1441A9F855D7352CB789884EBA4
                            Function 0102E3DB Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2ffa59302d57dfe1341ad8a2751da3bc74fae491c0724edb7adf9d89e01eb5c
                            • Instruction ID: 98b3f4fd31dcdb171ae4ef8c94dd056f64b3d9238ed157e19691d6f399fa60c9
                            • Opcode Fuzzy Hash: a2ffa59302d57dfe1341ad8a2751da3bc74fae491c0724edb7adf9d89e01eb5c
                            • Instruction Fuzzy Hash: 42319975B80715ABEB22AF55CC41FAF76B9AF49B50F100028F604AB291DFA9DD01D7E0
                            Function 01034B4B Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 07da3c1443a27f798f7d45413ea8b868b59e9f60c17d7def24c760a21965aa34
                            • Instruction ID: 7a77d1f585f6e0ac6ed840f8fd4007eba74166917c0334af0f4e7ab7623b0494
                            • Opcode Fuzzy Hash: 07da3c1443a27f798f7d45413ea8b868b59e9f60c17d7def24c760a21965aa34
                            • Instruction Fuzzy Hash: BB31D032A156008FD765DF19D880E6AB7E9FBC1320F0A44ADE9D9DB252D732AC04CB90
                            Function 00F84260 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f46a75a0708a505eb5f40e6df14e73b913f1c22359d6560707d0ecaf75dfa619
                            • Instruction ID: 55a847a4e6157f109d15a5f9657bf80c9c3301ddb6549d752a162083c2db8c9d
                            • Opcode Fuzzy Hash: f46a75a0708a505eb5f40e6df14e73b913f1c22359d6560707d0ecaf75dfa619
                            • Instruction Fuzzy Hash: 5641D131500B45DFC722DF24C885FD677E4BF49314F104429EA998B291CBB5F844EB50
                            Function 01034BB0 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 101b63364987d66c7090ebf32d5ccd01a5476121f6fc6a917f33d8c83de0a097
                            • Instruction ID: 04693bb485bb4cb48fddadeea7026c0440b042ce7624bc9ebbd5f96db3b6ee2e
                            • Opcode Fuzzy Hash: 101b63364987d66c7090ebf32d5ccd01a5476121f6fc6a917f33d8c83de0a097
                            • Instruction Fuzzy Hash: A031CD71A142058FD360DF28C880A2AB7E9FBC4320F0A456DF999DB291E730EC04CB91
                            Function 010461C3 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 406c8ecbf06203d6794c703f89d7c243434dbfecad6f94825458cf256adcc41f
                            • Instruction ID: 106809b90a779bddf98917c8051c4c4c5ffe655e5f5a6ad54d41a05efe4ccd4c
                            • Opcode Fuzzy Hash: 406c8ecbf06203d6794c703f89d7c243434dbfecad6f94825458cf256adcc41f
                            • Instruction Fuzzy Hash: D231F0B5A0061ABBDB15DF98CE81FAEB7B5EB44B40F004168E940AB240E771AD00CBA0
                            Function 0102483A Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45fbc5325ae2794e372eeead31607e8bed4eedaf8082ba2870fc67bcd0cd5972
                            • Instruction ID: 9036c2047b493d0ce35354732e913904ff750401a31bd2c8a5ae520a295f74f3
                            • Opcode Fuzzy Hash: 45fbc5325ae2794e372eeead31607e8bed4eedaf8082ba2870fc67bcd0cd5972
                            • Instruction Fuzzy Hash: 76317276A4012CABCF61DF54DC88BDEBBF9AB98350F1000E5F908E7250CA749E919F90
                            Function 010460B8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 269c61fbe373ce9036cd27174893e51883a9b6df03984f28d0fc1df25837c94c
                            • Instruction ID: b97c3598266c26f43d6758e79293c276cb36a0503864a3f77053b78877a8bbc9
                            • Opcode Fuzzy Hash: 269c61fbe373ce9036cd27174893e51883a9b6df03984f28d0fc1df25837c94c
                            • Instruction Fuzzy Hash: 6031F6B1A00601AFEB229F99CC90B6EB7F9AF45750F044079F585DB352EA32ED009790
                            Function 00F807AF Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3beadcef2f542779c5fcbcdd2295b1901b283925de491b5bfb65bd13f8814ce2
                            • Instruction ID: 65d22d8257ef592ed4920eb06a6285455fac911c7428ba3dfd95e307abc71ddc
                            • Opcode Fuzzy Hash: 3beadcef2f542779c5fcbcdd2295b1901b283925de491b5bfb65bd13f8814ce2
                            • Instruction Fuzzy Hash: 5D31F132A04611DBC762FE248C80EABB7A5AF94360F414529FC59AB311DF34DC49B7E2
                            Function 00F88550 Relevance: .1, Instructions: 94COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 240825b3e8aaaed639499c2cc342377dd572ec314729cc3852539d99ec599876
                            • Instruction ID: 198b263c57f8545876b583bd9188287cf42c4e108321c62634deb22a7c787b31
                            • Opcode Fuzzy Hash: 240825b3e8aaaed639499c2cc342377dd572ec314729cc3852539d99ec599876
                            • Instruction Fuzzy Hash: 38319E72A093418FD360DF19C840B5AB7E8FF98760F58496EE9849B291E770EC44DB91
                            Function 00FBA6C7 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction ID: 0d51f909ca00f769ee6f710ef27eec4941c64c6568abdd1f501a9dbe8fede40d
                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction Fuzzy Hash: 59310E72B04B01AFD765CF6ADD41B97B7F8AF08B50F14052DA55AC3651EA30E900EF51
                            Function 0102EBD0 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe27d14e1b6c96956632761d7e1d42a14ad350c5cdddba08e9dabe47da329781
                            • Instruction ID: 027b9516dd77fca0a782d6c3b006059d46d6f4453ef95894b5758d830a8d70bc
                            • Opcode Fuzzy Hash: fe27d14e1b6c96956632761d7e1d42a14ad350c5cdddba08e9dabe47da329781
                            • Instruction Fuzzy Hash: 933196B19493159FCB21DF1AC94081ABBF1FF89314F1489AEE4C89B252D3319946CF92
                            Function 00FA438F Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 313a6051c5d0f68836d3f16d91b38e1f3753fd6f19aa5fe36c05c5674aa5a592
                            • Instruction ID: c3cab97ac68731de167ea2d862292942f48b1e83610b4b49f988c8be0437fb1f
                            • Opcode Fuzzy Hash: 313a6051c5d0f68836d3f16d91b38e1f3753fd6f19aa5fe36c05c5674aa5a592
                            • Instruction Fuzzy Hash: E13104B2F006058FDB24DFA8CD81B6EB7F9AB85304F104529E846D3295D774ED41EB50
                            Function 00F7CB7E Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                            • Instruction ID: 750c4db51ad19ac70238f3cdbf28ffe1c09934227ce53aa0fca1d8a499d204ee
                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                            • Instruction Fuzzy Hash: 68210632E4025AABCB119BB5C801BAFB7B6AF44750F198036AD59E7340E231DD0097E6
                            Function 00F7C156 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dfcf4e5ca7a62b503e0455ed001eb1cb70f5856aa1e5e2d0bba49c5ffaceac9e
                            • Instruction ID: ee0aa493ec86c1d41165a31a0e0097fe451d629918b5ee0eeeba8b486725390e
                            • Opcode Fuzzy Hash: dfcf4e5ca7a62b503e0455ed001eb1cb70f5856aa1e5e2d0bba49c5ffaceac9e
                            • Instruction Fuzzy Hash: 673120729002109BDB31AF18CC41BA977B5EF45314F58C1AAEC859B342DE79DD85EB90
                            Function 0103C3CD Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction ID: ea34d984385fc80406b011c182e8bd45f53b070ccbdfbcd887ccd93c245058b9
                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction Fuzzy Hash: 12212D3660065166EB15AB959D01EFABBB8EFC0710F40801FFAD5D7552EB38DD40D760
                            Function 00F7E420 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d05a4a55a9764b6f744ea52bb11bfa3782ecdfd5dc6755962f6cdfa0c54589e0
                            • Instruction ID: ed0cdbe8db0d23dcac444cd04d50d90321ecdc34d7fc3c39303231f507bfb31e
                            • Opcode Fuzzy Hash: d05a4a55a9764b6f744ea52bb11bfa3782ecdfd5dc6755962f6cdfa0c54589e0
                            • Instruction Fuzzy Hash: 6131F636A0052C9BDB31DF14CC42FEE77B9AB19750F0040E7F649AB290D674AE80AF91
                            Function 00FB44B0 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69adea69200cd6fa330610aa85ee54f9e900d31ea2d67548c1ce3ae1f46c763d
                            • Instruction ID: 2d328c8c710b7e9d84eeecaf9966cc0ecc97837a39ed9c6f646d18b2d04fa20b
                            • Opcode Fuzzy Hash: 69adea69200cd6fa330610aa85ee54f9e900d31ea2d67548c1ce3ae1f46c763d
                            • Instruction Fuzzy Hash: 2621B172A04B459BCB21DF19C981BAB77E4FF88760F044519F9549B242D734ED00EFA2
                            Function 00FB4588 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction ID: 80f4282bead7cb55507bc5895ada1685b29d0ee6a6ae31e950a683509a960088
                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction Fuzzy Hash: BC219132A00608EBCF11DF59CA80ACEBBB6FF49710F108069ED259B242D675EE059F90
                            Function 00F7E388 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction ID: ab40c12ea7ef2f9bc0ab7a2e2f6fe97fa354be638556279ece3a34e9560891ac
                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction Fuzzy Hash: 2631BF31A00604EFD721CF68C884F6AB7F9EF89354F1485AAE556CB280E730EE01EB51
                            Function 00FFE609 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3baf23a052faa5a783f727d2423065c37dabf2f58d47f93bf2cf0f06b23d3dcb
                            • Instruction ID: a59d414b4ee0e194a47e3f20750764a3e93ef1958ab14654c265612ccb7eb7ac
                            • Opcode Fuzzy Hash: 3baf23a052faa5a783f727d2423065c37dabf2f58d47f93bf2cf0f06b23d3dcb
                            • Instruction Fuzzy Hash: 80319E75A1020D9FCB14CF18C8849AE77B5EF94304B118469E94ADB3B1EB31EE40DB94
                            Function 010006F1 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f8bf7ecbc2b9144613e0109991db540f867dab9d2071572f3f79b03e4c00eaf
                            • Instruction ID: f8ccc1c57b13c33d538e7b9bc43d592fdda2cc307bb24e27a8cfb1e3766e9e83
                            • Opcode Fuzzy Hash: 1f8bf7ecbc2b9144613e0109991db540f867dab9d2071572f3f79b03e4c00eaf
                            • Instruction Fuzzy Hash: 8B218B719006299BDF219F59C881ABEB7F4FF48740F40006AF945AB285D738AE42DBA1
                            Function 0100019F Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4cf655e96845f2b739f6c96018634e05538f63ce2ab07de2fa418fb50fdcbac
                            • Instruction ID: 47075823e9d303094e550470d19bd9aa50c75113c15407096ae462f59ae2e892
                            • Opcode Fuzzy Hash: a4cf655e96845f2b739f6c96018634e05538f63ce2ab07de2fa418fb50fdcbac
                            • Instruction Fuzzy Hash: FD219C71600644AFEB16DB6CDD41F6AB7E8FF48780F1400AAF944D7691D638EE40CBA4
                            Function 01000283 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3342905207c1148c09812c5aae9ad74e7b2d93043c4c5ad1a27309ea2446c5cf
                            • Instruction ID: 3a58ff5ac1e975a131a0938a1ef22e21897175b94bb5c735aa2dd446cf464198
                            • Opcode Fuzzy Hash: 3342905207c1148c09812c5aae9ad74e7b2d93043c4c5ad1a27309ea2446c5cf
                            • Instruction Fuzzy Hash: 6F21A1725046459BE713EF59C844B6BBBECAF91780F0844A6BDC087296D734DA48C6A2
                            Function 00FA2835 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa2472ee3c9e1f59e23f767fb3af78aa2ffb43cc88f6c8a8489fe369f77ebb48
                            • Instruction ID: 2df3ddf959789be953227e340c7b4aa8ddc837a36a1e41ce9ee3b2ff4942ed9b
                            • Opcode Fuzzy Hash: aa2472ee3c9e1f59e23f767fb3af78aa2ffb43cc88f6c8a8489fe369f77ebb48
                            • Instruction Fuzzy Hash: A3213572F456C59BF732572C8C04B243794AF42B70F2903A1F9209BAE2DB6CDC01A242
                            Function 00FBA30B Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03eac05cc9e6c8a36ccd8ba5e5fa03f18c3f9d41327ddbc2cb3e6802506a5d73
                            • Instruction ID: 1933c019fa2f227143ba510184c1cd44b7f1776312fbac1e500aded15ad433fd
                            • Opcode Fuzzy Hash: 03eac05cc9e6c8a36ccd8ba5e5fa03f18c3f9d41327ddbc2cb3e6802506a5d73
                            • Instruction Fuzzy Hash: 3021AC79600A009FCB25DF29CC01B56B3F5AF08B04F288468A549DBB61E736E942DF94
                            Function 0103A49A Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ea374ec828d207da1e3683c9411f09a248e0cd4cb596e152ef8e82c3a468eee
                            • Instruction ID: 54e6cd5f9b5aa4f1f70bb7244d7ac10af4e2086ab7dee7588c083f1bedf8e450
                            • Opcode Fuzzy Hash: 5ea374ec828d207da1e3683c9411f09a248e0cd4cb596e152ef8e82c3a468eee
                            • Instruction Fuzzy Hash: 40112336380B11FBEB2256589C02F6B769DDBC4BB0F100028B788DB2D0EF64DC019795
                            Function 01000946 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 012c9d61cce3c3767a8a1963298735913b7036d8222da35da799dea4f42f8f16
                            • Instruction ID: 823606be054bb124f96f8f925ff2d787f01ac332ff9a539765e3fa25775bed05
                            • Opcode Fuzzy Hash: 012c9d61cce3c3767a8a1963298735913b7036d8222da35da799dea4f42f8f16
                            • Instruction Fuzzy Hash: 492128B1E00209ABDB20DFAAD981AAEFBF8FF98700F10412FE445E7244DB749941CB54
                            Function 010180A8 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                            • Instruction ID: 1ec881faed47343ebca3172c2b1a2ea9bc82034f9b3d8d12feb26bb2ce5d3bbb
                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                            • Instruction Fuzzy Hash: 1C214D72A00209AFDF129F98CC40BAEBBF9EF88310F204456F955A7251D778DA51DB50
                            Function 00FB0124 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction ID: 3743a2787044830c8e5d3bd719849f9a3eca1209463824afb95372e4d1f66ddb
                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction Fuzzy Hash: ED11D072600604BFD7269E59CC41F9BBBB8EB80760F204029F6049F180DA71ED44EB60
                            Function 00F88770 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f02bbce0e0c008e9e0bf01b2563fbd605740c3de1cbf7ac5d1c132a97f446887
                            • Instruction ID: 9f7d7a10a8c9438dccc6f8e1bb8622da6cf5202f67a67dd239be25ece3da27c2
                            • Opcode Fuzzy Hash: f02bbce0e0c008e9e0bf01b2563fbd605740c3de1cbf7ac5d1c132a97f446887
                            • Instruction Fuzzy Hash: 4511C871B006109BDB11DF49C4C0A9AB7F5AF46BA07A4406DED08DF205DAB2DD02D790
                            Function 00FBAAEE Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                            • Instruction ID: 07e7c77f69394bbcfdc7e33c9347f2d40f06d007d6e52e40064b31b88ffd77e2
                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                            • Instruction Fuzzy Hash: E1217C72A00A40DFCB219F4AC550AA6F7E6EBD4B20F24803EE55997621C734ED01EF41
                            Function 00F880E9 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9528cfc4dc8dc271080c9db9d1ecedf753617081ce479c35113d88e58a381d55
                            • Instruction ID: 9c4314e76dfe76f1e9cc3bec0315416aca01449ddc7161b9ba4fb33868965317
                            • Opcode Fuzzy Hash: 9528cfc4dc8dc271080c9db9d1ecedf753617081ce479c35113d88e58a381d55
                            • Instruction Fuzzy Hash: E3217932A00605DFCB14DF98C985AAABBB5FB88358F60416DD105AB310CF71AE06DB90
                            Function 00FB674D Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67f86472696a149a2cb3fa569f94acad53a67e6362bb1cdd75bb962f358cb1ba
                            • Instruction ID: 9f9af582f5da84602e3bff617d8681fa8ed996597228dcff485d4c5ea9fddb4e
                            • Opcode Fuzzy Hash: 67f86472696a149a2cb3fa569f94acad53a67e6362bb1cdd75bb962f358cb1ba
                            • Instruction Fuzzy Hash: FF218E71500A00EFD7208F69C841FA6B3E8FF44754F60882DE4AAC7250DE34AD40EF60
                            Function 00FAE8C0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0635e32fb57cb7bd9a5cbbd9fa1fd91b341ea56028da08a5e114a05e6570fd01
                            • Instruction ID: a03efe3700a2a38a7e4d116011da52e4e705785876e247e8bb2c9a82976f2b25
                            • Opcode Fuzzy Hash: 0635e32fb57cb7bd9a5cbbd9fa1fd91b341ea56028da08a5e114a05e6570fd01
                            • Instruction Fuzzy Hash: 7E114873B001149BCF19CB29CC82A6BB256EFD63B0B344539E923CB281EA31DC06D290
                            Function 01016870 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4261bbae0b987eac957c0698b3b1b0e91f571cd19c360ca3b66737190d01242
                            • Instruction ID: ce32fff563c84bec075c87307fc444d9a65fcdfe77f65ed617e2f276107fa91a
                            • Opcode Fuzzy Hash: f4261bbae0b987eac957c0698b3b1b0e91f571cd19c360ca3b66737190d01242
                            • Instruction Fuzzy Hash: B711C132240604EBD722DB9DCD40F9A77ADEB49B50F014024F685DB255DABAE901C790
                            Function 00FB66B0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6120a0c08b2a7eeda034c51201915e06e0c4db09181c107607b679c4fab4327
                            • Instruction ID: 25acf650f90654395f1a61e61a4b48bfa694c4c407c6006ffc371a6321aa2c4f
                            • Opcode Fuzzy Hash: d6120a0c08b2a7eeda034c51201915e06e0c4db09181c107607b679c4fab4327
                            • Instruction Fuzzy Hash: 2711B276E012449BCB24DF5AC980A9ABBE4AB94754B254079E905DB311DE38DD00EF90
                            Function 0104A8E4 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                            • Instruction ID: d1d125d9508a5d00323a7a1ae0eecb2bebe6b90a0b3e2406c1a634864f9ca0a2
                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                            • Instruction Fuzzy Hash: 2F110436A00909EFDB19CB58CC41B9EBBF5EF84310F058269E88697340E631AE11CBC0
                            Function 00F80AD0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                            • Instruction ID: c4185a96e924eb9986bd1d4fca18216d9922be76a54e0c00cf00a074949de297
                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                            • Instruction Fuzzy Hash: 1B2103B5A40B059FD3A0CF29C581B52BBF4FB48B20F10492EE88AC7B40E771E814CB90
                            Function 0100E7E1 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                            • Instruction ID: 1426eda736a34d35e2ee451664e9391ffa56d7d1609843e94d31fc009bea1d2c
                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                            • Instruction Fuzzy Hash: D611A332600A00EFFB629F48CC40B5A7BE5EF45750F058868F98DAB190D775DE40D790
                            Function 00FA27ED Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8e297aada81bde064ae06d221e02b1b2aea03e1888c843847b62e5113b9f013c
                            • Instruction ID: a685b29ed8cd117a7f9d10efe0cfdd6bb533cf536a5fb1d84ac5feaf6dddbd9a
                            • Opcode Fuzzy Hash: 8e297aada81bde064ae06d221e02b1b2aea03e1888c843847b62e5113b9f013c
                            • Instruction Fuzzy Hash: 2501FE72B05684AFE326626EDC54F67779DEF41764F154076F8009B651D618EC00F3B2
                            Function 00F84690 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8eff625b9072c4f441d088daeddc3387287974b83b30e7b21cf79875e8052573
                            • Instruction ID: af885ccee58204b15e74861cd2ebbf06202c2bc40f09dd805d0c98d15b7ead2c
                            • Opcode Fuzzy Hash: 8eff625b9072c4f441d088daeddc3387287974b83b30e7b21cf79875e8052573
                            • Instruction Fuzzy Hash: 5611E136600646AFDB25EF59D840F9A7BA8EB86B74F104129F904CB290C774FC40EF60
                            Function 01054B00 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d18b65e9c028cb35411c46645eb1084d350dcc833a8e4e6536e716203bf2c16e
                            • Instruction ID: 30a1acf99395d727d3c8dd60d4f63b614dfb9b2a80bd43954349b57e21401a37
                            • Opcode Fuzzy Hash: d18b65e9c028cb35411c46645eb1084d350dcc833a8e4e6536e716203bf2c16e
                            • Instruction Fuzzy Hash: 4011C6362006119FEBA19A29DC44F97B7E6FFC4711F154559EEC2C7650EA30A842C790
                            Function 00FB6620 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d0840edeaec9e728d9bf70f5fdee97bb48dce46b9670d1e33d04e2deb23e93b
                            • Instruction ID: 6ef417d11e2b78a68bc0e81313c7bf1db4bd0e97a961960441ee9bacf57d20b0
                            • Opcode Fuzzy Hash: 0d0840edeaec9e728d9bf70f5fdee97bb48dce46b9670d1e33d04e2deb23e93b
                            • Instruction Fuzzy Hash: 2C11C272D00614ABDB21EF5ACD81B9EF7B9EF88750F500054E905FB201D738AD01AF50
                            Function 00FAEA2E Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 24e2b12ab5e3f5bf52883c0c9c53379c45a44fe6de62497174d5a061cf99c764
                            • Instruction ID: 1b8f9c7052e506b501fa5a2c00dda0db60d6d0e08f66e2ffbeb6819f87c2b096
                            • Opcode Fuzzy Hash: 24e2b12ab5e3f5bf52883c0c9c53379c45a44fe6de62497174d5a061cf99c764
                            • Instruction Fuzzy Hash: 98019EB19001099FD725EB15D849F96B7F9FB86324F20826AE0099B261C778EC42DB94
                            Function 00FAE53E Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction ID: 696946a3ccacc58e6fe4d0232b02a077ddb04ee68ee9a157fdbb03ddc71e3888
                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction Fuzzy Hash: EB11E5B2E016C59FEB229729DD54B2937D4AB02B68F1D00F1ED41CB642E32CDC46F250
                            Function 0100E75D Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                            • Instruction ID: c227d9d3372eff7ab8bbbe9fbab2ec965e25a7e51c8dc25270d68e60b77ce893
                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                            • Instruction Fuzzy Hash: E501C432604105AFF7235B58CC00B9ABAE9FF40750F158868FA89AB1A0D775DD40D790
                            Function 00F7A250 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction ID: 3955578f5e0044bfc17c54c59184ebdb2faed3b889889b3e60b172b7c5e63d3c
                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction Fuzzy Hash: A0012632805B119BCB308F15D840A3A7BA4EF95B70701C92EFC998B682D735D800EB62
                            Function 01054940 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e0b549b0366bda61c088823cead97f79a6c0d7fa46776a69ed54c57fb45e9bc
                            • Instruction ID: df4cc7d81b823bebba4c4e9ec1011bed50bbf1b5bbc7c0417bedf25e60854afb
                            • Opcode Fuzzy Hash: 4e0b549b0366bda61c088823cead97f79a6c0d7fa46776a69ed54c57fb45e9bc
                            • Instruction Fuzzy Hash: CF01C4725415009BC7B2DF1C9C42E97B7F8EB85770B154295EDE8DB196E630D841C790
                            Function 00FFE1D0 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd48532d8f7bd8148d3809a24871829bd0f6642869d44bdccb09b5f643140e90
                            • Instruction ID: 18872f45abc2b66e1b51022434b367368b2f16d2038b91e4437faee0447afb6f
                            • Opcode Fuzzy Hash: cd48532d8f7bd8148d3809a24871829bd0f6642869d44bdccb09b5f643140e90
                            • Instruction Fuzzy Hash: 1A118B32641644EFDB15AF19CD81F56BBB8FF48B54F200065FA059B662D339ED01DA90
                            Function 00F86259 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ced91fc70652b760b663dcf8f159561145dc84e5fff9e989a455eb3093f404fb
                            • Instruction ID: b36ffe854ba88b549bafeda4eefa6edf975429292bfed390f9c3dddce2ad118a
                            • Opcode Fuzzy Hash: ced91fc70652b760b663dcf8f159561145dc84e5fff9e989a455eb3093f404fb
                            • Instruction Fuzzy Hash: 49115A71941228ABEF65AB64CD43FE9B3B4EB48710F5041D8B319E60E1DB749E81EF84
                            Function 00F8208A Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction ID: 2c9e619c64a01514612bbab8e823176e6988e8bfc1852d826a8acbdc6514b548
                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction Fuzzy Hash: 0201D433A001109BDF55AA29D880FD27766BFD4720F5945A6ED06CF346EA71EC81F790
                            Function 01006050 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1920d9b1d23eb5a438965ab5c794be76922e4845622032ba1682301a9e23d62
                            • Instruction ID: 0562e86097a349a9d85075f1111a50da4e2d22c9725b2ef2a17e923914bec1e2
                            • Opcode Fuzzy Hash: c1920d9b1d23eb5a438965ab5c794be76922e4845622032ba1682301a9e23d62
                            • Instruction Fuzzy Hash: 0C111B72900019ABDB12DB94CC81DDF7B7DEF48354F044166A506E7211EA35AA15CBA0
                            Function 01016500 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8e9705bb5a6fe195a76466ed6494dd4917406f37056f1eb17cf8b500d6b1b1c9
                            • Instruction ID: 8fa8ed77bae2c90d10c09713779ca8053e8f43692bd352d0742b3cb498d50f44
                            • Opcode Fuzzy Hash: 8e9705bb5a6fe195a76466ed6494dd4917406f37056f1eb17cf8b500d6b1b1c9
                            • Instruction Fuzzy Hash: 9F11A1726441459FD711CF59D800BA6BBF9FB5A314F098199E8888B31AD776EC81CBA0
                            Function 0100C810 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16b6df6fe000343f7c059f64109ab1840cf9f642bc5e5482c9e17a6cbb889088
                            • Instruction ID: ac91b5e797bc618776bb17d0253c322a78acc3427919950512ef8e6a9dc1115e
                            • Opcode Fuzzy Hash: 16b6df6fe000343f7c059f64109ab1840cf9f642bc5e5482c9e17a6cbb889088
                            • Instruction Fuzzy Hash: 2511ECB1E006099BDB04DF99D541A9EB7F4EF48350F10816AB905E7351D674EA018BA4
                            Function 0102EA60 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fd6a631b1b18257b4b17cd9ea54ed6d656e7d3f9d8e75d9a98b98136bcc8992
                            • Instruction ID: f8402824403f988875dd16139596dc1fd86d58d0779c1a5b03b4438a80d7d9c1
                            • Opcode Fuzzy Hash: 6fd6a631b1b18257b4b17cd9ea54ed6d656e7d3f9d8e75d9a98b98136bcc8992
                            • Instruction Fuzzy Hash: 3F01D831581120ABDB72AB2AC840D3ABBE9FF41750B15446EF1855B612C735FC41DB91
                            Function 00FC20F0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b2e1967e1b66be72c626f6cfe07923304960a29d9e9db7d459bbe5b014a6b9a5
                            • Instruction ID: 75143b7065974568709b64325a875df2058945194b10ff545c40e8c6ca9d3dfa
                            • Opcode Fuzzy Hash: b2e1967e1b66be72c626f6cfe07923304960a29d9e9db7d459bbe5b014a6b9a5
                            • Instruction Fuzzy Hash: 11118071A0120DAFDF05DF64CD52FAE7BB5EF44350F104059F9059B290DA35AE11EB90
                            Function 00F7C020 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction ID: 914fdeb4abd4674c3c5756e519399c9b00f155a5baa3bd1c7c96e343aa680212
                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction Fuzzy Hash: 3C01F932500705DFDB229665E800FA773EAFFC5360F18841FE546C7640DA74E901EB91
                            Function 00FBE5CF Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 450c1e56f477deadc5a77702a3353df80f5262393247d724b4020088b3df91ab
                            • Instruction ID: e0eb9a53ec945c4f64998bbffa1d069490acb9be2214526823769ccb1769255e
                            • Opcode Fuzzy Hash: 450c1e56f477deadc5a77702a3353df80f5262393247d724b4020088b3df91ab
                            • Instruction Fuzzy Hash: CA01A771601A047FE751BB79CD41E57B7ACFF457607040625B109D3562DB68EC01DAE4
                            Function 010169C0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbd0c5d559b75e07fe76093f602fce329ebce285634b269dd2ab69282173ba92
                            • Instruction ID: 56281554c4d73bfc71aaa9b90bed2be313abed9d4d1c2b85c4e20050f092f31f
                            • Opcode Fuzzy Hash: bbd0c5d559b75e07fe76093f602fce329ebce285634b269dd2ab69282173ba92
                            • Instruction Fuzzy Hash: 8B014C332146019BC320DF69CC89EABBBE8EF84760F50412DF99887180E7399901CBD1
                            Function 0100C460 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8f6e2f47d935ab2dfdd6a666baf07ac78de3c1ae0f68a9ef9969f7b4cd56b04
                            • Instruction ID: 849b429efb47ef22de047a50109212c7beae640eaa4ce8a8b2caae13537f79ac
                            • Opcode Fuzzy Hash: a8f6e2f47d935ab2dfdd6a666baf07ac78de3c1ae0f68a9ef9969f7b4cd56b04
                            • Instruction Fuzzy Hash: 46115B71A0120DABEB16EF68C955EAE7BB5FB48340F004199BD4197390DB39EE11DB90
                            Function 0100C97C Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5549ee11faca4812e9dc5b0356a6bfd28b112b882eaad03a1508a5255641c04f
                            • Instruction ID: dc38e99309b503893ed2cc2be6116c6ca3518c9a48af635d987d2ed9cfe06174
                            • Opcode Fuzzy Hash: 5549ee11faca4812e9dc5b0356a6bfd28b112b882eaad03a1508a5255641c04f
                            • Instruction Fuzzy Hash: 3C118BB16083089FD700DF69C942A9BBBF4EF88310F00855EF998D7391E634E900CB92
                            Function 0100CA11 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c024ebc4ecc5c84d1b2f01314bf9e7d55ca1cc89c8642c8315059076a3d230f2
                            • Instruction ID: 0b7501c825bf5b39326949344eaf1cf8c69bca1cb2e9fadfc8b6e602c85f2708
                            • Opcode Fuzzy Hash: c024ebc4ecc5c84d1b2f01314bf9e7d55ca1cc89c8642c8315059076a3d230f2
                            • Instruction Fuzzy Hash: 69118EB16083089FD700DF69C942A4BBBF4EF89350F00865EF998D73A1E634E900CB92
                            Function 01054A80 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                            • Instruction ID: b45899fcc80a7bd08006077f4c14790d2dbc3683a9b7f9b45b8c0afe08a5ae30
                            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                            • Instruction Fuzzy Hash: 9501D836200605AFD7A19A6DD845FD7B7E6FBC5210F044459EA82CB650EA74F880C794
                            Function 00F9E016 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction ID: 615a34932fe0c1089d796640a1f6db958764ed601309ffe55ae3f60b557554f7
                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction Fuzzy Hash: B7017C32604584DFE726C75DC948F3677DDEB957A0F0D04A2F805CB6A1E6A8DC40E661
                            Function 00F7826B Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab07bbec9477c898fc818a9e0b186eee877ea0d3ca1d380b9b39c4805476b0e9
                            • Instruction ID: 363a60db4fda5e7152f690420c24cc8e005613137f357132f316cc3d5a3d0c5b
                            • Opcode Fuzzy Hash: ab07bbec9477c898fc818a9e0b186eee877ea0d3ca1d380b9b39c4805476b0e9
                            • Instruction Fuzzy Hash: 3A01F732B00504DBD714DB65DC05AAE77B9FF80360F19C02AA905AB286EE30DD02E292
                            Function 0102EB50 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: acdee457bb0e162b9b6da843f20afa3c844b662bb36c62e02b0d26545f29bccf
                            • Instruction ID: db7cacc3102263f919bf81d95266c4bb596eb7179ffe399a0942f9f982f77534
                            • Opcode Fuzzy Hash: acdee457bb0e162b9b6da843f20afa3c844b662bb36c62e02b0d26545f29bccf
                            • Instruction Fuzzy Hash: A701F271680710AFE3325B19DC02F07BAA8EF44B50F11442EF2869F391C6B59840DB58
                            Function 00F82582 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c1b03c33a06838142c02d98b4b5ddc168fd9cd1a0be5e23953f89f67825b805
                            • Instruction ID: 078035d7279edb761335c428453611dfad1dd74cbb8f3b606a3836e335a899bf
                            • Opcode Fuzzy Hash: 3c1b03c33a06838142c02d98b4b5ddc168fd9cd1a0be5e23953f89f67825b805
                            • Instruction Fuzzy Hash: B8F0F433A41A20B7D731AB568C40F47BAAEEB84FA0F144029B5059B640CA34EE01EBA0
                            Function 00FAC073 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction ID: c9c5beee557d410e5f8a743e7f4f38b621447be75e13c8d0f274fe4aec7ccb27
                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction Fuzzy Hash: 53F0C2F2A00A11ABD324CF4DDC41E57F7EADFC1B90F048128A545C7220EA31DD04CB90
                            Function 0105634F Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 943a5b4c2f735302f589bde1fc98870beb9e3c35a3ef5b6d5c053426f4afaf5c
                            • Instruction ID: 7eced2e5c5c875abeecbb751100e963ab08c6b00bea3b1118849220cfea2c60e
                            • Opcode Fuzzy Hash: 943a5b4c2f735302f589bde1fc98870beb9e3c35a3ef5b6d5c053426f4afaf5c
                            • Instruction Fuzzy Hash: A7014471E1020DEFDB04DFA9D951E9EB7F8EF48304F50806AF904E7351D678AA019BA0
                            Function 0105625D Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a25e8c5d156a02a6e8c596f10cfbbd48154714017b0ce3bceec519ed04b8c8f7
                            • Instruction ID: 6d1a0dcb76d24b86ef3a803f63094b000f9daa3e57a5aa43902a8557c548f49a
                            • Opcode Fuzzy Hash: a25e8c5d156a02a6e8c596f10cfbbd48154714017b0ce3bceec519ed04b8c8f7
                            • Instruction Fuzzy Hash: 66012171A10609ABDB04DFA9D951EAEB7F8EF48344F50805AF904E7351D678AA018BA0
                            Function 010562D6 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92a86803450face0cbac965e9ff51dc6e3d83f072dab8a109f745d0e5641819d
                            • Instruction ID: 28f23361e28271d9be90e51ebcb849ad52714c9b6ad49920a95fd7ae4bcd8106
                            • Opcode Fuzzy Hash: 92a86803450face0cbac965e9ff51dc6e3d83f072dab8a109f745d0e5641819d
                            • Instruction Fuzzy Hash: 53012171A00209ABDB04DFA9D951E9EB7F8EF48304F50805AF914E7351D674AA018BA0
                            Function 00F7C310 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction ID: 88e7d1eb937efc93043c67d8fba4c87757927fa49a81487f1cc75a130cb7e00c
                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction Fuzzy Hash: 07F0FC33604A329BD77216A95C40B7BB5958FC1B64F19C03FF50DDB244C9648C01B6D3
                            Function 00FBCA6F Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                            • Instruction ID: fc9d4949f7a44d1d9e49c15b2eeaab8cf619e7f0fc70cc457240be86251fd58e
                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                            • Instruction Fuzzy Hash: E601F93260068D9BD722D719C819FAABB9CEF417A0F084061FA44CF6A1DA7DCD01E691
                            Function 010561E5 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa56be6bb4e77e3ea821895a8e06c1965ea3571a8763f53ce71f5eb48a287349
                            • Instruction ID: 57387f38c887ac09dbec8f6639c861a0351dd3507f266583b287ad98d65f8342
                            • Opcode Fuzzy Hash: aa56be6bb4e77e3ea821895a8e06c1965ea3571a8763f53ce71f5eb48a287349
                            • Instruction Fuzzy Hash: 6B018F71A006499BDB00DFA9D952EEEBBF8AF48350F14405AF900AB380D738EA01CB94
                            Function 010063C0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction ID: fec52aff9d99b73de9af4dbf7d4c1547b80891907871da2fcae5f9e57f250220
                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction Fuzzy Hash: 9DF0127210001DBFEF029F94DD81DAF7B7EEB59398B114125FA1196160D636DD21A7A0
                            Function 0100A4B0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 867064041e4ac6795a422dd9db8abae4c88833bfa52052fdb840a6591efddd24
                            • Instruction ID: 9c40609539097d4eb470be281759f4f4dd76e19703906f1c053e057061f869b3
                            • Opcode Fuzzy Hash: 867064041e4ac6795a422dd9db8abae4c88833bfa52052fdb840a6591efddd24
                            • Instruction Fuzzy Hash: CD018536600249EBDF129E84DC40EDE3FA6FB4C665F068111FE5866260C736D970EB81
                            Function 00F7C0F0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce80a078ecd8456a712f07db641eaf64295cb5e8ce9e02594bac3487ef1d160d
                            • Instruction ID: 2116e5dc9e134b1e04981516ae7f1387985712dca5386422cf4078f41fd60f11
                            • Opcode Fuzzy Hash: ce80a078ecd8456a712f07db641eaf64295cb5e8ce9e02594bac3487ef1d160d
                            • Instruction Fuzzy Hash: B9F0F6727043005BE310A515AC01B223396D7C0761FA9C03FEB098B283F9B4DC01E3D6
                            Function 00FB656A Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ebdbf866e031a8c8e34124b8f80edf20a98ad8b86d741f31d5a3b98790c6a52
                            • Instruction ID: 25d5692ce76e3ea15eccd7f51141e1cf74e32f676e8a82623fa70d636ca56084
                            • Opcode Fuzzy Hash: 2ebdbf866e031a8c8e34124b8f80edf20a98ad8b86d741f31d5a3b98790c6a52
                            • Instruction Fuzzy Hash: 9201A471A006859BE7329729CD49FB633A4AF40B54F580190BA41DB6E6E72CEC11B610
                            Function 0102437C Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction ID: 9dc7dddc7cef0e35f52007a0b0ca85c5525a6f5ea1d235b89491ad104e20c146
                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction Fuzzy Hash: 12F02E31341D3347EBB6AA2EC860B6EB6D5AFC0E00B05856DE6C2DB640DF60DC00C780
                            Function 0100E872 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                            • Instruction ID: 4b7d5341455927b3bcc9de533f5bdea19a919e32ce23854b9e00f749ffe6a505
                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                            • Instruction Fuzzy Hash: 02F054327155119BF7629A4DDC80F16B7E8AFC5A60F590475A64CBB2A0C760ED0187D0
                            Function 0100C89D Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 740ddf11c68239de865b70a56b8efe960cea9ea1c28a00eeb624bfe172933a05
                            • Instruction ID: 811f4bf768f10f61a17a339c6677913cbc8959b9d23289e8cc8149f98012bf61
                            • Opcode Fuzzy Hash: 740ddf11c68239de865b70a56b8efe960cea9ea1c28a00eeb624bfe172933a05
                            • Instruction Fuzzy Hash: 16F0AF716057049FD310EF28C942E1AB7E4EF88710F40865EB898DB3D1EA38EA00C796
                            Function 00FB0854 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                            • Instruction ID: 243705e1ba99d22e62be43e782595738d2990e86480d4257ca7257e913ae7210
                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                            • Instruction Fuzzy Hash: 4EF0B472610204AFE715DF22CC01F97B2E9EF98350F1480789545D71A0FAB5DE01EA54
                            Function 0100C912 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8a9466299aeaf4fd221f4aca2cb4407285bef729fdc79a013f2815b7f7de8d5
                            • Instruction ID: 0d76eb33d33add5e3b22251cd309de218cf266c06b79993b721423beac836327
                            • Opcode Fuzzy Hash: b8a9466299aeaf4fd221f4aca2cb4407285bef729fdc79a013f2815b7f7de8d5
                            • Instruction Fuzzy Hash: 49F04F70A016499FDB04EF69CA56E9EB7B4EF48300F00815AB955EB395DA38EA01CB90
                            Function 00F847FB Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9261bacbb1bed9cebc6d590faabf7200fc6d82c988e5756e83964cc2c18f615d
                            • Instruction ID: a9e2c11ecd17092284536c2dd04df4a32afda491e4b6b71bf00a75ab015c215f
                            • Opcode Fuzzy Hash: 9261bacbb1bed9cebc6d590faabf7200fc6d82c988e5756e83964cc2c18f615d
                            • Instruction Fuzzy Hash: 44F02E32C022E39FD732EB28C404BE2B7C8AB00738F0D896AD89983502C324FC80E700
                            Function 01040115 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c550a0264ca7e548a07c4917bc02a00f00980f77fdd1818cff7e90154397656b
                            • Instruction ID: 873b9c0fcde4ed4cfd0a6f1bed515a04d3d48bd36314a55f6f93994fb1401467
                            • Opcode Fuzzy Hash: c550a0264ca7e548a07c4917bc02a00f00980f77fdd1818cff7e90154397656b
                            • Instruction Fuzzy Hash: E2F027B6815A854BEF726B3CA4E42D16B98A781110F0914D9D5E377219C57B8483C324
                            Function 00FBC5ED Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45802c5792475b8cf62534858373aa83fef2f079058dc399fd298be88e46e2b8
                            • Instruction ID: fdf232a54191a1f6c0d8f1f11605ef3735d3eeb021a6d153d209821ae8c3269f
                            • Opcode Fuzzy Hash: 45802c5792475b8cf62534858373aa83fef2f079058dc399fd298be88e46e2b8
                            • Instruction Fuzzy Hash: 40F0E272A116519FD722971AC148FD373DAAF80BB1F18A565D80EC7512C364DC80EED0
                            Function 00FC2619 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction ID: 931186700615625d82e44f0e26ac4a1925a30847db6fd9b67c1d8f3d053ea497
                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction Fuzzy Hash: 68E0D832340A016BE712AE59CDC6F47776EEFC2B10F04007DB5045F252C9E6DD0996B4
                            Function 01016030 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                            • Instruction ID: 742baeeb0fac3c657ab595a99d7b034b120696377b6b084c9c77dc6a8e2ed5b7
                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                            • Instruction Fuzzy Hash: E3F08C721006049FE3228F09DC40B53B7F8EB05364F028065F6488B161D3BEEC40CBA0
                            Function 00F80710 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction ID: c07dd4fa8d1c743910e7be1f3bdc430bca7af67a370e5016abff2697a66366d4
                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction Fuzzy Hash: 36F0ED3A2047449BEB15EF15D050AE97BA9EB91360B950096E8468F341EB31FD82EB80
                            Function 00FB49D0 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                            • Instruction ID: 4b3bf86d711465c2a0dae91a1fc49794ebbd93098a5e91b1af30468280b469bf
                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                            • Instruction Fuzzy Hash: 11E09233684546ABD7212E568901BA676AD9BD07A0F150429E1008B252DB78EC40FB9C
                            Function 01054164 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2275a5ed4c9162a0df480af0b61fd016f32230a8750e1789039ae2556b089ca4
                            • Instruction ID: 25fdbef7f9041c24aa3ad8f3760703e2a3199b17a7231a5cbd7cabeba8c001ae
                            • Opcode Fuzzy Hash: 2275a5ed4c9162a0df480af0b61fd016f32230a8750e1789039ae2556b089ca4
                            • Instruction Fuzzy Hash: CDF03931A26A918FE7E2D728E6A4BD777E4AB10720F1A05A4D885C7A12E724ECC0C654
                            Function 0102678E Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                            • Instruction ID: 23a4afd8b42c00eaed96d020d0209bffc11344e1c247b9a1303007839b6b8e23
                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                            • Instruction Fuzzy Hash: 99E0D832600120BBDF2197598D01F9A7EACEB44F90F050065FA00D7090D531DE00D690
                            Function 010508C0 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                            • Instruction ID: a47a348db7444a36a6f628d42557155e31204c4ee31136ffcfe210390779fc5d
                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                            • Instruction Fuzzy Hash: 64E09B316403518BCBA58A1DC140FBBB7E8DF95760F1580A9EDD547616C271F842C6D0
                            Function 00F825E0 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a8aae1ddaf44b632bf329d8ed5dea889b1adbb3dce61bf0648494bc0e23d32a
                            • Instruction ID: fe05a6507bf9101cbb92936b83677baca23586bc2c8bba093768868fa78af643
                            • Opcode Fuzzy Hash: 3a8aae1ddaf44b632bf329d8ed5dea889b1adbb3dce61bf0648494bc0e23d32a
                            • Instruction Fuzzy Hash: 7EE092721009949BC721BB29DD02F8B7B9AEB94360F014519F15557191CB39BD10D784
                            Function 0103A456 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                            • Instruction ID: 04396142bc5dfb29b6b47d46dedbb71a16ab931e7d259f3cde36d269700f96a8
                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                            • Instruction Fuzzy Hash: D1E06D31110A10DBE7766B2ADD09B52BAE4AFC0711F14886CB0DA524B1CB799880DA40
                            Function 01004000 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction ID: 6117cd2436e767b0992eb7c010be40571257204e7c2cde6528d5286b84254083
                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction Fuzzy Hash: F9E0C2343003068FE756CF19C044B627BF6BFD5A10F28C0A8AA888F245EB32E842CB44
                            Function 00FBCA38 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9321fde56b6e703ff75c31bcb33d6ef2197367bf2c72e5c9d3c06a13e2850d9
                            • Instruction ID: 47c5190dd3e0755a34d6000ee04fc277ab54bd03a298d785814c1d702cde29f7
                            • Opcode Fuzzy Hash: d9321fde56b6e703ff75c31bcb33d6ef2197367bf2c72e5c9d3c06a13e2850d9
                            • Instruction Fuzzy Hash: 66D02B328C10246ACF35F116BC24FD33A9D9B41730F014870F108D2020D51DCC81BBD4
                            Function 00F7823B Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction ID: 619b089aaeff9ccb6edbc4d138807c3669cfe740d959c5d83fda1945209a3def
                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction Fuzzy Hash: 79E08632540910DEDB712E11DD05F5176A1FB94B61F25882AF049164668B755C82FA45
                            Function 00F82050 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35386cb8e5993f58d9cefe3b2ba53397e6fa026b846f974675f67ef6afc644ac
                            • Instruction ID: aae0c673b60442156e414629be571b9c14ffc960043b2a63b2bd58722b918b9d
                            • Opcode Fuzzy Hash: 35386cb8e5993f58d9cefe3b2ba53397e6fa026b846f974675f67ef6afc644ac
                            • Instruction Fuzzy Hash: B9E0C232100890ABC721FB5DED02F8A779EEF94360F000121F155972D1CB29BD00D794
                            Function 00FB8A90 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                            • Instruction ID: 8a9f3d24ca43bf9c63ba494a9ee24bebab308a3e027f8e87d9e9603ff77deb95
                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                            • Instruction Fuzzy Hash: 77E08633515A1497C728EE18D511BB277ACEF85770F19463EA51347780C934E944DB94
                            Function 00FD6AA4 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                            • Instruction ID: bddbebb857983bbd980fe6b7aa0e0920607e8f350a962ab5f995c2c29a033b14
                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                            • Instruction Fuzzy Hash: 3FD05E36511A50AFC7329F1BEE00C13BBF9FBC4B2070A062FA44593A24C674AC06DBA0
                            Function 00FBE59C Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction ID: 41db47ed9df2d88b33d1fe5dd0f36e9cc05ef4ce48fe4e27aa36154916f43bb8
                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction Fuzzy Hash: 3CD0A932608A20ABEB72AA1CFC00FD333E8AB88720F060459B008C7061C3A4AC81DA84
                            Function 00FFE908 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                            • Instruction ID: 2f59c69d1a388323e6953c4c917472c73b939ee6982259b9ed3bb0dd311ddb90
                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                            • Instruction Fuzzy Hash: 3CE08C319006849FCF22EF58CA40F5EB7F8BF80B00F140004A0086B231C368AD00DB40
                            Function 00F7A0E3 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction ID: 7e90709941aa4126ac182e3bd5083c801692ce8f015951cf6c38497cd76940e7
                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction Fuzzy Hash: 12D0123361747097DF2956656D14F6B79559BC1BA4F1B006E740EE3900C5198C43F6E2
                            Function 00FBA830 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                            • Instruction ID: 1ae80a2637c29355fb96b9e6414cf3752de9f8dd1e9fe95f7d3de56a3e03acf1
                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                            • Instruction Fuzzy Hash: 1CD012371D054CBBDB119F65DC02F957BA9E754BA0F444020B508C75A1C63AE950D584
                            Function 00FBCA24 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03dcef5e408e3f7eab3bc349e79ef09d7854ba926a5a5bfc136b5011eada1dcf
                            • Instruction ID: 585f16023a4bd4a013e8868d289fd59d7f23d74e139b627bb1fd9e0a6d9cc3eb
                            • Opcode Fuzzy Hash: 03dcef5e408e3f7eab3bc349e79ef09d7854ba926a5a5bfc136b5011eada1dcf
                            • Instruction Fuzzy Hash: 10D0A73090180ACBDF17CF05C920E7F3AB4EF54780B400068E701A1070D72DDD02FA40
                            Function 00F902A0 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction ID: 6753cea18ee28a73695d613854cc59e2b2bdba5b50f9f66c30582c9eee0fdf81
                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction Fuzzy Hash: 61D0C935612E80CFDB1BCB0DC5A8B1533A4BB44F44F9104E0E402CBB61DA2CED80EA00
                            Function 00FBC700 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction ID: 891b2ba9776181ad86e9d235c11c014439af59ade14d672a38049b99f6898886
                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction Fuzzy Hash: 63C08033150644AFD711DF94DD01F0177E9E798B40F000021F30487571C535FD10E644
                            Function 00FA0310 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction ID: 0e064ce1e94b2c1abf60314d508ef5ada1270d9cd08b0fcdc3058987c2e13111
                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction Fuzzy Hash: B0D01236100248EFCB01DF41D890D9A772AFBC8710F108019FD19076118A35ED62DA50
                            Function 00F80750 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction ID: d33c5a3f055cd8dc388bf1085ab7323fcc9c82b4de51f543ff5c25c0cb9c03f6
                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction Fuzzy Hash: FCC04879B11A458FDF15EB2AD6A4F4977E4FB44750F190891E805CBB22E628ED01EA10
                            Function 00FC4340 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 932579e8d81b804f7e60f7a7c0fb59eb35b28322597d0fc131c13b98b65fc37d
                            • Instruction ID: 937c212aefd858e35371024b89da6e0ee44e3cedddb220ebfd07693ce670e8e4
                            • Opcode Fuzzy Hash: 932579e8d81b804f7e60f7a7c0fb59eb35b28322597d0fc131c13b98b65fc37d
                            • Instruction Fuzzy Hash: 0F9002356058102292407158888454A401697E0341B59C023E0424564D8E188A576361
                            Function 00FC4650 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d527829b05fe752b4e1a75c1c7a80008262a74dfa2ba3b9c638d7ebf76a89a8c
                            • Instruction ID: 5d8368a16a6a8f62c06b787ef4ca07f59905bdc2a2ca22765d37d127d021022f
                            • Opcode Fuzzy Hash: d527829b05fe752b4e1a75c1c7a80008262a74dfa2ba3b9c638d7ebf76a89a8c
                            • Instruction Fuzzy Hash: 2E9002656015105242407158880440A601697E1341399C127A0554570D8A1C8956A269
                            Function 00FC2AF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1fc9609f794e5e5260c61de6948f1598e880068786c13c5576682a92e038dcc
                            • Instruction ID: 684d9ce15ab142928c63e794ccefff7dec585e894945146d1ddd6cf06eca18ef
                            • Opcode Fuzzy Hash: a1fc9609f794e5e5260c61de6948f1598e880068786c13c5576682a92e038dcc
                            • Instruction Fuzzy Hash: 7D900229221410120245B558460450F045697D6391399C027F14165A0DCA2589666321
                            Function 00FC2AD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cfab96ec760c753d479d6e0679c2ea206fbd9438618c5b4900f614eb662f8fc
                            • Instruction ID: bcde08690660b51136c779fa79d64e58632e2994988596fae8c880cf72973c2a
                            • Opcode Fuzzy Hash: 8cfab96ec760c753d479d6e0679c2ea206fbd9438618c5b4900f614eb662f8fc
                            • Instruction Fuzzy Hash: D5900229211410130205B558470450B005787D5391359C033F1015560DDA2589626121
                            Function 00FC2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbf6bf50d7baa3fed4d5330e44b31fcf944a21f55fcbebcd52e1915531225353
                            • Instruction ID: ca44cd9c0de82345f522fccef98cb600882b3ab5c957ecf3dd6f139d9df564cd
                            • Opcode Fuzzy Hash: dbf6bf50d7baa3fed4d5330e44b31fcf944a21f55fcbebcd52e1915531225353
                            • Instruction Fuzzy Hash: 1A9002A5201550A24600B258C404B0E451687E0341B59C027E1054570DC9298952A135
                            Function 00FC2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 996b73c28f412d15926d0ce637b693c8ab202956c00dee6be1698932292d6642
                            • Instruction ID: e9050d315eb65167a54e5033f102e9c35b6aea78bdb78ae1297852f48f0efb9a
                            • Opcode Fuzzy Hash: 996b73c28f412d15926d0ce637b693c8ab202956c00dee6be1698932292d6642
                            • Instruction Fuzzy Hash: BE90023520141812D2807158840464E001687D1341F99C027A0025664ECE198B5A77A1
                            Function 00FC2BE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e4691ba9e25a0128ee3b8c24592ca2e2ced462c0b7986fcba8d66998ce6ea31
                            • Instruction ID: 44089a387aabbb251b8fa4da5f33c4b1b58ca0db797efdf148b314d41ca74806
                            • Opcode Fuzzy Hash: 1e4691ba9e25a0128ee3b8c24592ca2e2ced462c0b7986fcba8d66998ce6ea31
                            • Instruction Fuzzy Hash: AD90023520545852D24071588404A4A002687D0345F59C023A00646A4E9A298E56B661
                            Function 00FC2BA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8fb4125e846a883f19e50159641c2338b1495a9d0db4fbe713af872ca962ce20
                            • Instruction ID: bcb96ba888f7bd5e5a36975ccc302b5680ec4d8683705db11b6fef5da5770fd6
                            • Opcode Fuzzy Hash: 8fb4125e846a883f19e50159641c2338b1495a9d0db4fbe713af872ca962ce20
                            • Instruction Fuzzy Hash: E090023560541812D2507158841474A001687D0341F59C023A0024664E8B598B5676A1
                            Function 00FC2B80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a4fb297fa6334168247facd18ac465a7cdaa70b7b7f4af2b653c28c904216e9
                            • Instruction ID: f472b87249dbf0b882ab13eb2f0c29a2e0b2e196ab816547bc72355f8ef6082e
                            • Opcode Fuzzy Hash: 3a4fb297fa6334168247facd18ac465a7cdaa70b7b7f4af2b653c28c904216e9
                            • Instruction Fuzzy Hash: B190023520141812D2047158880468A001687D0341F59C023A6024665F9A6989927131
                            Function 00FC2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eeb0296b3e1ee299117bd39c8c64b1fcee87c52d040e796980825206456e6df0
                            • Instruction ID: 9005a8f9c6f5206a0e8458a9cd9643fd20c806ebeceb3a12afa35a6637ea4b27
                            • Opcode Fuzzy Hash: eeb0296b3e1ee299117bd39c8c64b1fcee87c52d040e796980825206456e6df0
                            • Instruction Fuzzy Hash: 079002652024101342057158841461A401B87E0341B59C033E10145A0EC92989927125
                            Function 00FC2CF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54c2e94f1aec1b8c3858722b2335d8c66a4142f9658fac5f855107aeebf3789d
                            • Instruction ID: 9f822ca4673bc6f81518aff933fbfc065ee4f846d99333fc3f2636e78c714f40
                            • Opcode Fuzzy Hash: 54c2e94f1aec1b8c3858722b2335d8c66a4142f9658fac5f855107aeebf3789d
                            • Instruction Fuzzy Hash: E790023520141413D2007158950870B001687D0341F59D423A0424568EDA5A89527121
                            Function 00FC2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f871bcac48a0950b52d2f443488629c065abbc2813a3f0b0330d84ff08224f55
                            • Instruction ID: d5a9b77424526d918e90e7d009e2b7dfe9f4a27c7e1c7d8628f9d8b0b3aceca6
                            • Opcode Fuzzy Hash: f871bcac48a0950b52d2f443488629c065abbc2813a3f0b0330d84ff08224f55
                            • Instruction Fuzzy Hash: 0690022560541412D2407158941870A002687D0341F59D023A0024564ECA5D8B5676A1
                            Function 00FC2CA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b59d3cf2d5ca37061e226430f4853176691b2dc1e96b3a939e0d47f2c7b4d681
                            • Instruction ID: faea64401562fdb0f30272f352554061d0789eca94b19e830d779a768afccce9
                            • Opcode Fuzzy Hash: b59d3cf2d5ca37061e226430f4853176691b2dc1e96b3a939e0d47f2c7b4d681
                            • Instruction Fuzzy Hash: 1490023520141412D2007598940864A001687E0341F59D023A5024565FCA6989927131
                            Function 00FC2C60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d09a4b7e253aa81d3a4512f8cb6875509cedbbeddee1d74a5b78c1e85dddf9ad
                            • Instruction ID: b848dba7e8ea93df16ccf117b5c46cd9ecf48b8c9d7b73f988b4b818ab9f45de
                            • Opcode Fuzzy Hash: d09a4b7e253aa81d3a4512f8cb6875509cedbbeddee1d74a5b78c1e85dddf9ad
                            • Instruction Fuzzy Hash: 5190023520141852D20071588404B4A001687E0341F59C027A0124664E8A19C9527521
                            Function 00FC2DD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55233be780705e9dd1527e5bc11cf7aaf78e838db2ae7f29e55b28ec02d2f365
                            • Instruction ID: 65e27a85ddc3e7df62ce0a7b6f4f1f00ba24db5719e6252266e76f21db82dc88
                            • Opcode Fuzzy Hash: 55233be780705e9dd1527e5bc11cf7aaf78e838db2ae7f29e55b28ec02d2f365
                            • Instruction Fuzzy Hash: 64900225242451625645B158840450B401797E0381799C023A1414960D892A9957E621
                            Function 00FC2DB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a016f5c10c34acd65e7d6ff1cbe4a72327d8aff2d1a383d9688cf62312398f9
                            • Instruction ID: 9b0f747b8b94cfec884d6da630d84149e9d73350f680c5ea669a3776771eae49
                            • Opcode Fuzzy Hash: 1a016f5c10c34acd65e7d6ff1cbe4a72327d8aff2d1a383d9688cf62312398f9
                            • Instruction Fuzzy Hash: 7D90023524141412D2417158840460A001A97D0381F99C023A0424564F8A598B57BA61
                            Function 00FC2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aeae06ec677c377eda4519ac48de8c0dd95967be19fb51c2fe1177d81960dd90
                            • Instruction ID: 16ba915feaf1a93af0851c2f8e0a273489add3d0e1bce3be9aa2c24adc1c281b
                            • Opcode Fuzzy Hash: aeae06ec677c377eda4519ac48de8c0dd95967be19fb51c2fe1177d81960dd90
                            • Instruction Fuzzy Hash: B090022530141013D2407158941860A4016D7E1341F59D023E0414564DDD1989576222
                            Function 00FC2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f04d162790448fc929e5a0e6d183d3fdf40dc4a537da56fa1e2fa4efbc7ab223
                            • Instruction ID: 60e3f89b7443e2fc2002465f133ce5d87bf82b493fc02a5ac50944b9f956a394
                            • Opcode Fuzzy Hash: f04d162790448fc929e5a0e6d183d3fdf40dc4a537da56fa1e2fa4efbc7ab223
                            • Instruction Fuzzy Hash: 8E90022D21341012D2807158940860E001687D1342F99D427A0015568DCD19896A6321
                            Function 00FC2D00 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: caca9e4a3029e2c81da90500500db6ea91de8559ec0088e0d43fbc8b348f774f
                            • Instruction ID: c4bb1d0c237d1af702632cefca9fe3a874f99c123fd8ad3d44636dc608d6dfcf
                            • Opcode Fuzzy Hash: caca9e4a3029e2c81da90500500db6ea91de8559ec0088e0d43fbc8b348f774f
                            • Instruction Fuzzy Hash: D490022520545452D20075589408A0A001687D0345F59D023A10645A5ECA398952B131
                            Function 00FC2EE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5fa7a00c534c5385018108b5e914bd7b474115143f0077ab62c781ee97705be2
                            • Instruction ID: ba8d324ecdad2f38a9cfce8981ce650d968aefa4a6a488685d7a8e88856842e8
                            • Opcode Fuzzy Hash: 5fa7a00c534c5385018108b5e914bd7b474115143f0077ab62c781ee97705be2
                            • Instruction Fuzzy Hash: B290026520181413D2407558880460B001687D0342F59C023A2064565F8E2D8D527135
                            Function 00FC2EA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8660d5edb0ead01d0a9049753a3e352e85e8a14e4db34ccf288acd86606a8912
                            • Instruction ID: 54603870799e55608a254ced985d7ed87e8b0f59e62e803da2a1a3702f39913e
                            • Opcode Fuzzy Hash: 8660d5edb0ead01d0a9049753a3e352e85e8a14e4db34ccf288acd86606a8912
                            • Instruction Fuzzy Hash: ED90027520141412D2407158840474A001687D0341F59C023A5064564F8A5D8ED67665
                            Function 00FC2E80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec1d80c5239981a6a4ec5c0a464d0571b8ec5abe70fdec03dce285aa3b5eac13
                            • Instruction ID: 744b1c410247a9a1fe2768fc4a6f66d3045c14f582b76a3ca8ba10d6cb12e979
                            • Opcode Fuzzy Hash: ec1d80c5239981a6a4ec5c0a464d0571b8ec5abe70fdec03dce285aa3b5eac13
                            • Instruction Fuzzy Hash: B690022560141512D2017158840461A001B87D0381F99C033A1024565FCE298A93B131
                            Function 00FC2E30 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7dc060e4411c0d7d1442fd0b2e7faabbd439c5f93906a78345039556a19343ee
                            • Instruction ID: 524b3b6867cecca15794876cb6322616a9685865c5ef128add93af687f500101
                            • Opcode Fuzzy Hash: 7dc060e4411c0d7d1442fd0b2e7faabbd439c5f93906a78345039556a19343ee
                            • Instruction Fuzzy Hash: 6190022530141412D2027158841460A001AC7D1385F99C023E1424565E8A298A53B132
                            Function 00FC2FE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc7f454d8b0556e254ca8e1d5b4ae97146a6f5c19ce6e948b1461a31ae52f17a
                            • Instruction ID: 85bd4777a6881446fecee19a8cde4fafcf2bae1cabc0e979319cdc36eee2f6bb
                            • Opcode Fuzzy Hash: cc7f454d8b0556e254ca8e1d5b4ae97146a6f5c19ce6e948b1461a31ae52f17a
                            • Instruction Fuzzy Hash: F3900225211C1052D30075688C14B0B001687D0343F59C127A0154564DCD1989626521
                            Function 00FC2FB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7dfba6b82a993fd378b72d7b53e95bf05fcbbab179f434c1a241ebfaae1eb594
                            • Instruction ID: ece13df9627072bbb1568aadb4b53880bd0d0ed476f2219315127333f3b13be7
                            • Opcode Fuzzy Hash: 7dfba6b82a993fd378b72d7b53e95bf05fcbbab179f434c1a241ebfaae1eb594
                            • Instruction Fuzzy Hash: EC9002256014105242407168C84490A4016ABE1351759C133A0998560E895D89666665
                            Function 00FC2FA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c7e810c2e5c40e39acebe87a0c096e3a49cf61c6bda894be3cb8ea91240800f
                            • Instruction ID: 07925abd6dd7ba3055465b2c822d9d9c0fcdee2846703e597357f37e7f4d368d
                            • Opcode Fuzzy Hash: 8c7e810c2e5c40e39acebe87a0c096e3a49cf61c6bda894be3cb8ea91240800f
                            • Instruction Fuzzy Hash: EB90023520181412D2007158880874B001687D0342F59C023A5164565F8A69C9927531
                            Function 00FC2F90 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 566a1a0534f526ecaf8ea484f80df60de36bde914dec088006aa70dbf2288a7a
                            • Instruction ID: 3d6efd0ea7d404034851dc04be4116c64d93d01deeae2724c0d3deb8bd1c71cd
                            • Opcode Fuzzy Hash: 566a1a0534f526ecaf8ea484f80df60de36bde914dec088006aa70dbf2288a7a
                            • Instruction Fuzzy Hash: A390023520181412D2007158881470F001687D0342F59C023A1164565E8A2989527571
                            Function 00FC2F60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93230335fdce1d939042562ca75d0c1965e0e4606836d684535d8266788db4b4
                            • Instruction ID: 1f60aa6d85ea6d6594d1491c63de9dac3d70e045d10d04c759abf8778b3511bd
                            • Opcode Fuzzy Hash: 93230335fdce1d939042562ca75d0c1965e0e4606836d684535d8266788db4b4
                            • Instruction Fuzzy Hash: FA90026521141052D2047158840470A005687E1341F59C023A2154564DC92D8D626125
                            Function 00FC2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1674e22c153ce59c2d973bcacbf2d617057546d7f3d1790a0a555b0740665603
                            • Instruction ID: 454b85415ff11b901ac8c4dba327a5f51aaf1da18125c07d341a86bf7e1972c3
                            • Opcode Fuzzy Hash: 1674e22c153ce59c2d973bcacbf2d617057546d7f3d1790a0a555b0740665603
                            • Instruction Fuzzy Hash: DB90026534141452D20071588414B0A0016C7E1341F59C027E1064564E8A1DCD537126
                            Function 00FC3090 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6c5025f0ac5d223edf51dc064e0351cde8883ee2c4f4fb879b6c0c59af7dcad
                            • Instruction ID: 7afdf0fe19b14b6465a1401a52f76d96c87779677c8eb7fb9b9cc9b801441a7d
                            • Opcode Fuzzy Hash: c6c5025f0ac5d223edf51dc064e0351cde8883ee2c4f4fb879b6c0c59af7dcad
                            • Instruction Fuzzy Hash: BB90022524141812D2407158C41470B0017C7D0741F59C023A0024564E8A1A8A6676B1
                            Function 00FC3010 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ad3046394f4b813ba853b591a1913dd04e6ab12321f042d5d84b4529ca85808
                            • Instruction ID: c4f5e6ed8c8d1257c183f265237678919b8b9da30f6ada247e3bcca06ee4590b
                            • Opcode Fuzzy Hash: 3ad3046394f4b813ba853b591a1913dd04e6ab12321f042d5d84b4529ca85808
                            • Instruction Fuzzy Hash: D490022520185452D24072588804B0F411687E1342F99C02BA4156564DCD1989566721
                            Function 00FC39B0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08c02a5abb593d35e3eabe52d27c6e510ff51dd747b6772942386c9bb9b0d874
                            • Instruction ID: 11f0cba854c0f093606e66c94152e811797452c82a0179109917ea538fd9edf8
                            • Opcode Fuzzy Hash: 08c02a5abb593d35e3eabe52d27c6e510ff51dd747b6772942386c9bb9b0d874
                            • Instruction Fuzzy Hash: 1590022524546112D250715C840461A4016A7E0341F59C033A08145A4E895989567221
                            Function 00FC3D70 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64f65c330596893f86fd978958873198da8b9521982c1abfc5f1189f22f0dee7
                            • Instruction ID: 99e409565418121e25b09e591c514fb37ef95d1c79dfc22114c3f8714485f6ab
                            • Opcode Fuzzy Hash: 64f65c330596893f86fd978958873198da8b9521982c1abfc5f1189f22f0dee7
                            • Instruction Fuzzy Hash: D490023920141412D6107158980464A005787D0341F59D423A0424568E8A5889A2B121
                            Function 00FC3D10 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cbfb45ee2a5887c253b0d11f8b395aa0858d34ae97f4deddbca0a5cb152bf336
                            • Instruction ID: 89d9f0b693f8847f289cd444934dc9e1cd1a97f5a761f8dec24f3084750404a8
                            • Opcode Fuzzy Hash: cbfb45ee2a5887c253b0d11f8b395aa0858d34ae97f4deddbca0a5cb152bf336
                            • Instruction Fuzzy Hash: A290023520241152964072589804A4E411687E1342B99D427A0015564DCD1889626221
                            Function 00FC2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction ID: 55b2ce71a6a5333b2eb95c94062ae8f845fbe297c4ceffad56831f9a21db9b0c
                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction Fuzzy Hash:
                            Function 00FC2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 8d0ef5e7fe3c846d9d5105277fbb002f2fcbafd22a6186be60aeffdb879f5acd
                            • Instruction ID: 3ce73757f2b73a99af0f85f8445364317a75f8d3971e2ceecb33afe2454528d8
                            • Opcode Fuzzy Hash: 8d0ef5e7fe3c846d9d5105277fbb002f2fcbafd22a6186be60aeffdb879f5acd
                            • Instruction Fuzzy Hash: 4851C4B6A00117BBCB50DB988D91A7EF7B8FB08300B18816AE559D7681D634DE04B7A1
                            Function 01032410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 41aa51b988c922f0fb36cdbb799d3eb3c335d2c96742842e0ea0bdbdaea6790f
                            • Instruction ID: bb622dd37f7caab93f0affdb04f5677507f1d0a87b53bad6fa71a4fa97b45edc
                            • Opcode Fuzzy Hash: 41aa51b988c922f0fb36cdbb799d3eb3c335d2c96742842e0ea0bdbdaea6790f
                            • Instruction Fuzzy Hash: 5451F571A00645AECB70DE5CC89097EBBFDEF84300B44846AE5D6C7682EA74EB409B61
                            Function 00FB7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00FF4655
                            • ExecuteOptions, xrefs: 00FF46A0
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00FF4725
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00FF46FC
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00FF4742
                            • Execute=1, xrefs: 00FF4713
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 00FF4787
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: bedbb6542b951d2edf7807179eb1b3ac2e1c5003255e9d5dd30b541b1dfc899a
                            • Instruction ID: 925db08c93d21978fea091031fedb855719e2d644e356e074b6ac0ef877535f8
                            • Opcode Fuzzy Hash: bedbb6542b951d2edf7807179eb1b3ac2e1c5003255e9d5dd30b541b1dfc899a
                            • Instruction Fuzzy Hash: C4513931A0431D6ADF20BA65DC86FFE73B9AF54310F1400A9E505A71D1EB71AE41BF51
                            Function 01056940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                            • Instruction ID: 409123dff75453f9b5f76fc89d984c6cd52e66e51e4a37858c933d668db08b53
                            • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                            • Instruction Fuzzy Hash: 1D022571508342AFD385CF28C990E6BBBE5EFC8704F44896DF9858B261DB32E945CB52
                            Function 00FCB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction ID: 3ee5a719c4537ddc0be857907b5709a0cb029ba1601e4dc7ba41ecbc9b4759b8
                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction Fuzzy Hash: FE81B078E0524B9ADF288E68CA53FFEBBB5AF85320F18425DD851A72D1C7349C41EB50
                            Function 010320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$[$]:%u
                            • API String ID: 48624451-2819853543
                            • Opcode ID: 7ba2c8b0a4c61c6dfb846a2a23d537a0dc1ff7bcede2e10b71d1ec998d1ff0b0
                            • Instruction ID: 4b5a76428db4b0aa84464a1b55fd0607a10e0d5b6a9104b94c5825a802711999
                            • Opcode Fuzzy Hash: 7ba2c8b0a4c61c6dfb846a2a23d537a0dc1ff7bcede2e10b71d1ec998d1ff0b0
                            • Instruction Fuzzy Hash: 8C21A37AA00119ABDB10DE68CD51EEEBBFCEF94740F040156E944E3201EB30DA019BA1
                            Function 00FAF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FF02E7
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FF02BD
                            • RTL: Re-Waiting, xrefs: 00FF031E
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: b9ceee1cdca7ecee0681507a56c63ce828362a92f5ed3e0f9c5e40167b0173f8
                            • Instruction ID: 4fce3965bf5304e551607a0bd119da61db77c47b71a8e93b79334ca17a66ac05
                            • Opcode Fuzzy Hash: b9ceee1cdca7ecee0681507a56c63ce828362a92f5ed3e0f9c5e40167b0173f8
                            • Instruction Fuzzy Hash: EBE1E271A047419FD724CF68C885B2AB7E0BF85324F240A2DF5958B2E1DB74D849EB52
                            Function 00FBBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00FF7B7F
                            • RTL: Resource at %p, xrefs: 00FF7B8E
                            • RTL: Re-Waiting, xrefs: 00FF7BAC
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: b1712d87a1eeb5069938aadbb01fcf07b9dc6cbd9368ee5b06ab1fc71219bd9a
                            • Instruction ID: 38d47b216abdf072fd051f89e31f26df86d0390559d92b7cc2dd381bb0ef988e
                            • Opcode Fuzzy Hash: b1712d87a1eeb5069938aadbb01fcf07b9dc6cbd9368ee5b06ab1fc71219bd9a
                            • Instruction Fuzzy Hash: 7741D1317047079FD720DE26CC41BAAB7E5EF89720F100A1DF9969B290DBB1E805AF91
                            Function 00FBB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF728C
                            Strings
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00FF7294
                            • RTL: Resource at %p, xrefs: 00FF72A3
                            • RTL: Re-Waiting, xrefs: 00FF72C1
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 1b205bea23a3069e8fc55c88469a222262a39c876f6907c3cdd6389ddcbe088c
                            • Instruction ID: e3194258d451f4903f4d01177294bbd07c0cf043a18da1b6de73ec861a9245a6
                            • Opcode Fuzzy Hash: 1b205bea23a3069e8fc55c88469a222262a39c876f6907c3cdd6389ddcbe088c
                            • Instruction Fuzzy Hash: 1F410532B04306ABD720EE25CC41FAAB7A5FF54720F140619F955D7281DB60F802ABD1
                            Function 01032300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$]:%u
                            • API String ID: 48624451-3050659472
                            • Opcode ID: b2813c81d89e584f4cadca09960465cb0412cd0c5ffcb0a50c08860baa140326
                            • Instruction ID: 05e7815411a177c5e89f2726324cd8670e3bdb34a3cfa1487d864ffa9c685514
                            • Opcode Fuzzy Hash: b2813c81d89e584f4cadca09960465cb0412cd0c5ffcb0a50c08860baa140326
                            • Instruction Fuzzy Hash: 1A318472A00219AFDB60DE29DC41BEE77FCEB44610F454596E989E3241EB30AA449BA1
                            Function 00FC7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction ID: fcec2f58ce7413219321f9bb09a084412db1c6d12c982fff6a5febdba5034458
                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction Fuzzy Hash: 0C91A371E083079ADB24EE69CA82FBEB7A5AF44370F24451EE855A72C0D7309D41EF50
                            Function 00F89126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: 6e65e2edcef35d82db1291f5687124f178c431d4394c5aea7bc1fabebac039a4
                            • Instruction ID: 35759746247822bdb5b0d076b66f97dd429d1f0dac31ab380c0a93e18346c5d7
                            • Opcode Fuzzy Hash: 6e65e2edcef35d82db1291f5687124f178c431d4394c5aea7bc1fabebac039a4
                            • Instruction Fuzzy Hash: F6813B72D046699BDB31DB54CC45BEEB7B8AF08710F0441EAA909B7280E7759E80DFA0
                            Function 0100CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 0100CFBD
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1902184115.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_f50000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: CallFilterFunc@8
                            • String ID: @$@4_w@4_w
                            • API String ID: 4062629308-713214301
                            • Opcode ID: 14d4ccf6273c661241ec51645ac3330bcc1ddb0866080fd58bf9adada309a9c8
                            • Instruction ID: 942f9c9cb2d5cb8a097d613bef5986408cfee895c8059a13f989be811b12fa4c
                            • Opcode Fuzzy Hash: 14d4ccf6273c661241ec51645ac3330bcc1ddb0866080fd58bf9adada309a9c8
                            • Instruction Fuzzy Hash: 9141CD71900614DFEB22DFE9D841AAEBBB8FF44B40F00416AF984EB295D7399900DB61