Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-0005082025 pdf.exe

Overview

General Information

Sample name:PO-0005082025 pdf.exe
Analysis ID:1587579
MD5:4881b4d16acf9ff18d4f3177718d1848
SHA1:04b19cbc9904c3971cf9b070db387fa0c5fbd438
SHA256:df33cc8034f776a46c83294a6696df8c997165ce84a0a54edcd7df5eaf919d45
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO-0005082025 pdf.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4881B4D16ACF9FF18D4F3177718D1848)
    • powershell.exe (PID: 1080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO-0005082025 pdf.exe (PID: 2376 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4881B4D16ACF9FF18D4F3177718D1848)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2343499066.00000000012E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.1553470146.0000000005520000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.1540455021.0000000003DC9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Process Memory Space: PO-0005082025 pdf.exe PID: 6300JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO-0005082025 pdf.exe.5520000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              5.2.PO-0005082025 pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                5.2.PO-0005082025 pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  0.2.PO-0005082025 pdf.exe.5520000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.PO-0005082025 pdf.exe.3dc9970.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 6300, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 1080, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 6300, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 1080, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 6300, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 1080, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: PO-0005082025 pdf.exeVirustotal: Detection: 59%Perma Link
                      Source: PO-0005082025 pdf.exeReversingLabs: Detection: 68%
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2343499066.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: PO-0005082025 pdf.exeJoe Sandbox ML: detected
                      Source: PO-0005082025 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO-0005082025 pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: wntdll.pdbUGP source: PO-0005082025 pdf.exe, 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO-0005082025 pdf.exe, PO-0005082025 pdf.exe, 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1536070906.0000000002E08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2343499066.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0042CCC3 NtClose,5_2_0042CCC3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2B60 NtClose,LdrInitializeThunk,5_2_014B2B60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_014B2DF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_014B2C70
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B35C0 NtCreateMutant,LdrInitializeThunk,5_2_014B35C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B4340 NtSetContextThread,5_2_014B4340
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B4650 NtSuspendThread,5_2_014B4650
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2BE0 NtQueryValueKey,5_2_014B2BE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2BF0 NtAllocateVirtualMemory,5_2_014B2BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2B80 NtQueryInformationFile,5_2_014B2B80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2BA0 NtEnumerateValueKey,5_2_014B2BA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2AD0 NtReadFile,5_2_014B2AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2AF0 NtWriteFile,5_2_014B2AF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2AB0 NtWaitForSingleObject,5_2_014B2AB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2D00 NtSetInformationFile,5_2_014B2D00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2D10 NtMapViewOfSection,5_2_014B2D10
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2D30 NtUnmapViewOfSection,5_2_014B2D30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2DD0 NtDelayExecution,5_2_014B2DD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2DB0 NtEnumerateKey,5_2_014B2DB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2C60 NtCreateKey,5_2_014B2C60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2C00 NtQueryInformationProcess,5_2_014B2C00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2CC0 NtQueryVirtualMemory,5_2_014B2CC0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2CF0 NtOpenProcess,5_2_014B2CF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2CA0 NtQueryInformationToken,5_2_014B2CA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2F60 NtCreateProcessEx,5_2_014B2F60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2F30 NtCreateSection,5_2_014B2F30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2FE0 NtCreateFile,5_2_014B2FE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2F90 NtProtectVirtualMemory,5_2_014B2F90
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2FA0 NtQuerySection,5_2_014B2FA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2FB0 NtResumeThread,5_2_014B2FB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2E30 NtWriteVirtualMemory,5_2_014B2E30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2EE0 NtQueueApcThread,5_2_014B2EE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2E80 NtReadVirtualMemory,5_2_014B2E80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2EA0 NtAdjustPrivilegesToken,5_2_014B2EA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B3010 NtOpenDirectoryObject,5_2_014B3010
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B3090 NtSetValueKey,5_2_014B3090
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B39B0 NtGetContextThread,5_2_014B39B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B3D70 NtOpenThread,5_2_014B3D70
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B3D10 NtOpenProcessToken,5_2_014B3D10
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_07185E600_2_07185E60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_07182D700_2_07182D70
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_071852A80_2_071852A8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_0718F0D80_2_0718F0D8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_0718F0C80_2_0718F0C8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_0718DE380_2_0718DE38
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_07185E500_2_07185E50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_07182D610_2_07182D61
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_07182A780_2_07182A78
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_07182A880_2_07182A88
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00401C665_2_00401C66
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004030455_2_00403045
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004030505_2_00403050
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040E8EA5_2_0040E8EA
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040E8F35_2_0040E8F3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040296B5_2_0040296B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004029705_2_00402970
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00404A475_2_00404A47
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0042F2B35_2_0042F2B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004014405_2_00401440
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004034205_2_00403420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0041056A5_2_0041056A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004105735_2_00410573
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004025C65_2_004025C6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004025D05_2_004025D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00402E2E5_2_00402E2E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00402E305_2_00402E30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00416F1E5_2_00416F1E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00416F235_2_00416F23
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004107935_2_00410793
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040E79A5_2_0040E79A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040E7A35_2_0040E7A3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015081585_2_01508158
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014701005_2_01470100
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151A1185_2_0151A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015381CC5_2_015381CC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015341A25_2_015341A2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015401AA5_2_015401AA
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015120005_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153A3525_2_0153A352
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015403E65_2_015403E6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E3F05_2_0148E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015202745_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015002C05_2_015002C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014805355_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015405915_2_01540591
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015324465_2_01532446
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015244205_2_01524420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152E4F65_2_0152E4F6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A47505_2_014A4750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014807705_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147C7C05_2_0147C7C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149C6E05_2_0149C6E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014969625_2_01496962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A05_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0154A9A65_2_0154A9A6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148A8405_2_0148A840
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014828405_2_01482840
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE8F05_2_014AE8F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014668B85_2_014668B8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153AB405_2_0153AB40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01536BD75_2_01536BD7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147EA805_2_0147EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148AD005_2_0148AD00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151CD1F5_2_0151CD1F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147ADE05_2_0147ADE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01498DBF5_2_01498DBF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480C005_2_01480C00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470CF25_2_01470CF2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520CB55_2_01520CB5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F4F405_2_014F4F40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01522F305_2_01522F30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C2F285_2_014C2F28
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A0F305_2_014A0F30
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01472FC85_2_01472FC8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148CFE05_2_0148CFE0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FEFA05_2_014FEFA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480E595_2_01480E59
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153EE265_2_0153EE26
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153EEDB5_2_0153EEDB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153CE935_2_0153CE93
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492E905_2_01492E90
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B516C5_2_014B516C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146F1725_2_0146F172
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0154B16B5_2_0154B16B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148B1B05_2_0148B1B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014870C05_2_014870C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152F0CC5_2_0152F0CC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153F0E05_2_0153F0E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015370E95_2_015370E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146D34C5_2_0146D34C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153132D5_2_0153132D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C739A5_2_014C739A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149B2C05_2_0149B2C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015212ED5_2_015212ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014852A05_2_014852A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015375715_2_01537571
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015495C35_2_015495C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151D5B05_2_0151D5B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014714605_2_01471460
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153F43F5_2_0153F43F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153F7B05_2_0153F7B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C56305_2_014C5630
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015316CC5_2_015316CC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014899505_2_01489950
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149B9505_2_0149B950
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015159105_2_01515910
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ED8005_2_014ED800
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014838E05_2_014838E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153FB765_2_0153FB76
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014BDBF95_2_014BDBF9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F5BF05_2_014F5BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149FB805_2_0149FB80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01537A465_2_01537A46
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153FA495_2_0153FA49
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F3A6C5_2_014F3A6C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152DAC65_2_0152DAC6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C5AA05_2_014C5AA0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01521AA35_2_01521AA3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151DAAC5_2_0151DAAC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01483D405_2_01483D40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01531D5A5_2_01531D5A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01537D735_2_01537D73
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149FDC05_2_0149FDC0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F9C325_2_014F9C32
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153FCF25_2_0153FCF2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153FF095_2_0153FF09
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01443FD55_2_01443FD5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01443FD25_2_01443FD2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01481F925_2_01481F92
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153FFB15_2_0153FFB1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01489EB05_2_01489EB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 014B5130 appears 58 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 0146B970 appears 280 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 014C7E54 appears 110 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 014FF290 appears 105 times
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: String function: 014EEA12 appears 86 times
                      Source: PO-0005082025 pdf.exeBinary or memory string: OriginalFilename vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1540455021.0000000003DC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1540455021.0000000003DC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1554664589.00000000071A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1553470146.0000000005520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000002.1530879067.00000000010FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000000.00000000.1359512786.0000000000A02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIVGw.exe@ vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exe, 00000005.00000002.2343681886.000000000156D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exeBinary or memory string: OriginalFilenameIVGw.exe@ vs PO-0005082025 pdf.exe
                      Source: PO-0005082025 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO-0005082025 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@6/6@0/0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0005082025 pdf.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3556:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihvz2los.2z4.ps1Jump to behavior
                      Source: PO-0005082025 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PO-0005082025 pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: PO-0005082025 pdf.exeVirustotal: Detection: 59%
                      Source: PO-0005082025 pdf.exeReversingLabs: Detection: 68%
                      Source: unknownProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: PO-0005082025 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO-0005082025 pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: wntdll.pdbUGP source: PO-0005082025 pdf.exe, 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO-0005082025 pdf.exe, PO-0005082025 pdf.exe, 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 0_2_071863A9 push 7405EE5Eh; ret 0_2_071863B5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004178CA push edx; iretd 5_2_004178CD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004150EB push esp; iretd 5_2_0041514F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040D8B6 push ecx; ret 5_2_0040D8B7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00415119 push esp; iretd 5_2_0041514F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00424A53 push 3D550B4Fh; ret 5_2_00424A6B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00417A3B push ebx; iretd 5_2_00417A3C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00423D13 push edi; retf 5_2_00423D1E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00423DBE push esp; iretd 5_2_00423DE4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0040AEDA push FFFFFF84h; retf 5_2_0040AEDC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_004036A0 push eax; ret 5_2_004036A2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0144225F pushad ; ret 5_2_014427F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014427FA pushad ; ret 5_2_014427F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014709AD push ecx; mov dword ptr [esp], ecx5_2_014709B6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0144283D push eax; iretd 5_2_01442858
                      Source: PO-0005082025 pdf.exeStatic PE information: section name: .text entropy: 7.759221001325472

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PO-0005082025 pdf.exe PID: 6300, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 7C10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 8C10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 8DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: 9DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B096E rdtsc 5_2_014B096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4432Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 768Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeAPI coverage: 0.6 %
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe TID: 4476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe TID: 1096Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B096E rdtsc 5_2_014B096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_00417EB3 LdrLoadDll,5_2_00417EB3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01508158 mov eax, dword ptr fs:[00000030h]5_2_01508158
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146C156 mov eax, dword ptr fs:[00000030h]5_2_0146C156
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476154 mov eax, dword ptr fs:[00000030h]5_2_01476154
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476154 mov eax, dword ptr fs:[00000030h]5_2_01476154
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01504144 mov eax, dword ptr fs:[00000030h]5_2_01504144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01504144 mov eax, dword ptr fs:[00000030h]5_2_01504144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01504144 mov ecx, dword ptr fs:[00000030h]5_2_01504144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01504144 mov eax, dword ptr fs:[00000030h]5_2_01504144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01504144 mov eax, dword ptr fs:[00000030h]5_2_01504144
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544164 mov eax, dword ptr fs:[00000030h]5_2_01544164
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544164 mov eax, dword ptr fs:[00000030h]5_2_01544164
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01530115 mov eax, dword ptr fs:[00000030h]5_2_01530115
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151A118 mov ecx, dword ptr fs:[00000030h]5_2_0151A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151A118 mov eax, dword ptr fs:[00000030h]5_2_0151A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151A118 mov eax, dword ptr fs:[00000030h]5_2_0151A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151A118 mov eax, dword ptr fs:[00000030h]5_2_0151A118
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov eax, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov ecx, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov eax, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov eax, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov ecx, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov eax, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov eax, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov ecx, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov eax, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E10E mov ecx, dword ptr fs:[00000030h]5_2_0151E10E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A0124 mov eax, dword ptr fs:[00000030h]5_2_014A0124
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015361C3 mov eax, dword ptr fs:[00000030h]5_2_015361C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015361C3 mov eax, dword ptr fs:[00000030h]5_2_015361C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE1D0 mov eax, dword ptr fs:[00000030h]5_2_014EE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE1D0 mov eax, dword ptr fs:[00000030h]5_2_014EE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE1D0 mov ecx, dword ptr fs:[00000030h]5_2_014EE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE1D0 mov eax, dword ptr fs:[00000030h]5_2_014EE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE1D0 mov eax, dword ptr fs:[00000030h]5_2_014EE1D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015461E5 mov eax, dword ptr fs:[00000030h]5_2_015461E5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A01F8 mov eax, dword ptr fs:[00000030h]5_2_014A01F8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B0185 mov eax, dword ptr fs:[00000030h]5_2_014B0185
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F019F mov eax, dword ptr fs:[00000030h]5_2_014F019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F019F mov eax, dword ptr fs:[00000030h]5_2_014F019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F019F mov eax, dword ptr fs:[00000030h]5_2_014F019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F019F mov eax, dword ptr fs:[00000030h]5_2_014F019F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146A197 mov eax, dword ptr fs:[00000030h]5_2_0146A197
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146A197 mov eax, dword ptr fs:[00000030h]5_2_0146A197
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146A197 mov eax, dword ptr fs:[00000030h]5_2_0146A197
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01514180 mov eax, dword ptr fs:[00000030h]5_2_01514180
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01514180 mov eax, dword ptr fs:[00000030h]5_2_01514180
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152C188 mov eax, dword ptr fs:[00000030h]5_2_0152C188
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152C188 mov eax, dword ptr fs:[00000030h]5_2_0152C188
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01472050 mov eax, dword ptr fs:[00000030h]5_2_01472050
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6050 mov eax, dword ptr fs:[00000030h]5_2_014F6050
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149C073 mov eax, dword ptr fs:[00000030h]5_2_0149C073
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F4000 mov ecx, dword ptr fs:[00000030h]5_2_014F4000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01512000 mov eax, dword ptr fs:[00000030h]5_2_01512000
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E016 mov eax, dword ptr fs:[00000030h]5_2_0148E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E016 mov eax, dword ptr fs:[00000030h]5_2_0148E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E016 mov eax, dword ptr fs:[00000030h]5_2_0148E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E016 mov eax, dword ptr fs:[00000030h]5_2_0148E016
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01506030 mov eax, dword ptr fs:[00000030h]5_2_01506030
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146A020 mov eax, dword ptr fs:[00000030h]5_2_0146A020
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146C020 mov eax, dword ptr fs:[00000030h]5_2_0146C020
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F20DE mov eax, dword ptr fs:[00000030h]5_2_014F20DE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0146A0E3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014780E9 mov eax, dword ptr fs:[00000030h]5_2_014780E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F60E0 mov eax, dword ptr fs:[00000030h]5_2_014F60E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146C0F0 mov eax, dword ptr fs:[00000030h]5_2_0146C0F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B20F0 mov ecx, dword ptr fs:[00000030h]5_2_014B20F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147208A mov eax, dword ptr fs:[00000030h]5_2_0147208A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014680A0 mov eax, dword ptr fs:[00000030h]5_2_014680A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015360B8 mov eax, dword ptr fs:[00000030h]5_2_015360B8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015360B8 mov ecx, dword ptr fs:[00000030h]5_2_015360B8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015080A8 mov eax, dword ptr fs:[00000030h]5_2_015080A8
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153A352 mov eax, dword ptr fs:[00000030h]5_2_0153A352
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01518350 mov ecx, dword ptr fs:[00000030h]5_2_01518350
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F2349 mov eax, dword ptr fs:[00000030h]5_2_014F2349
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F035C mov eax, dword ptr fs:[00000030h]5_2_014F035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F035C mov eax, dword ptr fs:[00000030h]5_2_014F035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F035C mov eax, dword ptr fs:[00000030h]5_2_014F035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F035C mov ecx, dword ptr fs:[00000030h]5_2_014F035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F035C mov eax, dword ptr fs:[00000030h]5_2_014F035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F035C mov eax, dword ptr fs:[00000030h]5_2_014F035C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0154634F mov eax, dword ptr fs:[00000030h]5_2_0154634F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151437C mov eax, dword ptr fs:[00000030h]5_2_0151437C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA30B mov eax, dword ptr fs:[00000030h]5_2_014AA30B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA30B mov eax, dword ptr fs:[00000030h]5_2_014AA30B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA30B mov eax, dword ptr fs:[00000030h]5_2_014AA30B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146C310 mov ecx, dword ptr fs:[00000030h]5_2_0146C310
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01490310 mov ecx, dword ptr fs:[00000030h]5_2_01490310
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01548324 mov eax, dword ptr fs:[00000030h]5_2_01548324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01548324 mov ecx, dword ptr fs:[00000030h]5_2_01548324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01548324 mov eax, dword ptr fs:[00000030h]5_2_01548324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01548324 mov eax, dword ptr fs:[00000030h]5_2_01548324
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015143D4 mov eax, dword ptr fs:[00000030h]5_2_015143D4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015143D4 mov eax, dword ptr fs:[00000030h]5_2_015143D4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A3C0 mov eax, dword ptr fs:[00000030h]5_2_0147A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A3C0 mov eax, dword ptr fs:[00000030h]5_2_0147A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A3C0 mov eax, dword ptr fs:[00000030h]5_2_0147A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A3C0 mov eax, dword ptr fs:[00000030h]5_2_0147A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A3C0 mov eax, dword ptr fs:[00000030h]5_2_0147A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A3C0 mov eax, dword ptr fs:[00000030h]5_2_0147A3C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014783C0 mov eax, dword ptr fs:[00000030h]5_2_014783C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014783C0 mov eax, dword ptr fs:[00000030h]5_2_014783C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014783C0 mov eax, dword ptr fs:[00000030h]5_2_014783C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014783C0 mov eax, dword ptr fs:[00000030h]5_2_014783C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E3DB mov eax, dword ptr fs:[00000030h]5_2_0151E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E3DB mov eax, dword ptr fs:[00000030h]5_2_0151E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E3DB mov ecx, dword ptr fs:[00000030h]5_2_0151E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151E3DB mov eax, dword ptr fs:[00000030h]5_2_0151E3DB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F63C0 mov eax, dword ptr fs:[00000030h]5_2_014F63C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152C3CD mov eax, dword ptr fs:[00000030h]5_2_0152C3CD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014803E9 mov eax, dword ptr fs:[00000030h]5_2_014803E9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A63FF mov eax, dword ptr fs:[00000030h]5_2_014A63FF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E3F0 mov eax, dword ptr fs:[00000030h]5_2_0148E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E3F0 mov eax, dword ptr fs:[00000030h]5_2_0148E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E3F0 mov eax, dword ptr fs:[00000030h]5_2_0148E3F0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149438F mov eax, dword ptr fs:[00000030h]5_2_0149438F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149438F mov eax, dword ptr fs:[00000030h]5_2_0149438F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146E388 mov eax, dword ptr fs:[00000030h]5_2_0146E388
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146E388 mov eax, dword ptr fs:[00000030h]5_2_0146E388
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146E388 mov eax, dword ptr fs:[00000030h]5_2_0146E388
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01468397 mov eax, dword ptr fs:[00000030h]5_2_01468397
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01468397 mov eax, dword ptr fs:[00000030h]5_2_01468397
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01468397 mov eax, dword ptr fs:[00000030h]5_2_01468397
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152A250 mov eax, dword ptr fs:[00000030h]5_2_0152A250
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152A250 mov eax, dword ptr fs:[00000030h]5_2_0152A250
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0154625D mov eax, dword ptr fs:[00000030h]5_2_0154625D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F8243 mov eax, dword ptr fs:[00000030h]5_2_014F8243
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F8243 mov ecx, dword ptr fs:[00000030h]5_2_014F8243
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146A250 mov eax, dword ptr fs:[00000030h]5_2_0146A250
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476259 mov eax, dword ptr fs:[00000030h]5_2_01476259
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01520274 mov eax, dword ptr fs:[00000030h]5_2_01520274
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474260 mov eax, dword ptr fs:[00000030h]5_2_01474260
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474260 mov eax, dword ptr fs:[00000030h]5_2_01474260
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474260 mov eax, dword ptr fs:[00000030h]5_2_01474260
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146826B mov eax, dword ptr fs:[00000030h]5_2_0146826B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146823B mov eax, dword ptr fs:[00000030h]5_2_0146823B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015462D6 mov eax, dword ptr fs:[00000030h]5_2_015462D6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A2C3 mov eax, dword ptr fs:[00000030h]5_2_0147A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A2C3 mov eax, dword ptr fs:[00000030h]5_2_0147A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A2C3 mov eax, dword ptr fs:[00000030h]5_2_0147A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A2C3 mov eax, dword ptr fs:[00000030h]5_2_0147A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A2C3 mov eax, dword ptr fs:[00000030h]5_2_0147A2C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014802E1 mov eax, dword ptr fs:[00000030h]5_2_014802E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014802E1 mov eax, dword ptr fs:[00000030h]5_2_014802E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014802E1 mov eax, dword ptr fs:[00000030h]5_2_014802E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F0283 mov eax, dword ptr fs:[00000030h]5_2_014F0283
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F0283 mov eax, dword ptr fs:[00000030h]5_2_014F0283
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F0283 mov eax, dword ptr fs:[00000030h]5_2_014F0283
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE284 mov eax, dword ptr fs:[00000030h]5_2_014AE284
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE284 mov eax, dword ptr fs:[00000030h]5_2_014AE284
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014802A0 mov eax, dword ptr fs:[00000030h]5_2_014802A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014802A0 mov eax, dword ptr fs:[00000030h]5_2_014802A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015062A0 mov eax, dword ptr fs:[00000030h]5_2_015062A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015062A0 mov ecx, dword ptr fs:[00000030h]5_2_015062A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015062A0 mov eax, dword ptr fs:[00000030h]5_2_015062A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015062A0 mov eax, dword ptr fs:[00000030h]5_2_015062A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015062A0 mov eax, dword ptr fs:[00000030h]5_2_015062A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015062A0 mov eax, dword ptr fs:[00000030h]5_2_015062A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01478550 mov eax, dword ptr fs:[00000030h]5_2_01478550
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01478550 mov eax, dword ptr fs:[00000030h]5_2_01478550
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A656A mov eax, dword ptr fs:[00000030h]5_2_014A656A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A656A mov eax, dword ptr fs:[00000030h]5_2_014A656A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A656A mov eax, dword ptr fs:[00000030h]5_2_014A656A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01506500 mov eax, dword ptr fs:[00000030h]5_2_01506500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544500 mov eax, dword ptr fs:[00000030h]5_2_01544500
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E53E mov eax, dword ptr fs:[00000030h]5_2_0149E53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E53E mov eax, dword ptr fs:[00000030h]5_2_0149E53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E53E mov eax, dword ptr fs:[00000030h]5_2_0149E53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E53E mov eax, dword ptr fs:[00000030h]5_2_0149E53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E53E mov eax, dword ptr fs:[00000030h]5_2_0149E53E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480535 mov eax, dword ptr fs:[00000030h]5_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480535 mov eax, dword ptr fs:[00000030h]5_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480535 mov eax, dword ptr fs:[00000030h]5_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480535 mov eax, dword ptr fs:[00000030h]5_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480535 mov eax, dword ptr fs:[00000030h]5_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480535 mov eax, dword ptr fs:[00000030h]5_2_01480535
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE5CF mov eax, dword ptr fs:[00000030h]5_2_014AE5CF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE5CF mov eax, dword ptr fs:[00000030h]5_2_014AE5CF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014765D0 mov eax, dword ptr fs:[00000030h]5_2_014765D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA5D0 mov eax, dword ptr fs:[00000030h]5_2_014AA5D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA5D0 mov eax, dword ptr fs:[00000030h]5_2_014AA5D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014725E0 mov eax, dword ptr fs:[00000030h]5_2_014725E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC5ED mov eax, dword ptr fs:[00000030h]5_2_014AC5ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC5ED mov eax, dword ptr fs:[00000030h]5_2_014AC5ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E5E7 mov eax, dword ptr fs:[00000030h]5_2_0149E5E7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A4588 mov eax, dword ptr fs:[00000030h]5_2_014A4588
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01472582 mov eax, dword ptr fs:[00000030h]5_2_01472582
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01472582 mov ecx, dword ptr fs:[00000030h]5_2_01472582
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE59C mov eax, dword ptr fs:[00000030h]5_2_014AE59C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F05A7 mov eax, dword ptr fs:[00000030h]5_2_014F05A7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F05A7 mov eax, dword ptr fs:[00000030h]5_2_014F05A7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F05A7 mov eax, dword ptr fs:[00000030h]5_2_014F05A7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014945B1 mov eax, dword ptr fs:[00000030h]5_2_014945B1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014945B1 mov eax, dword ptr fs:[00000030h]5_2_014945B1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152A456 mov eax, dword ptr fs:[00000030h]5_2_0152A456
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AE443 mov eax, dword ptr fs:[00000030h]5_2_014AE443
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149245A mov eax, dword ptr fs:[00000030h]5_2_0149245A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146645D mov eax, dword ptr fs:[00000030h]5_2_0146645D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FC460 mov ecx, dword ptr fs:[00000030h]5_2_014FC460
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149A470 mov eax, dword ptr fs:[00000030h]5_2_0149A470
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149A470 mov eax, dword ptr fs:[00000030h]5_2_0149A470
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149A470 mov eax, dword ptr fs:[00000030h]5_2_0149A470
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A8402 mov eax, dword ptr fs:[00000030h]5_2_014A8402
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A8402 mov eax, dword ptr fs:[00000030h]5_2_014A8402
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A8402 mov eax, dword ptr fs:[00000030h]5_2_014A8402
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146C427 mov eax, dword ptr fs:[00000030h]5_2_0146C427
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146E420 mov eax, dword ptr fs:[00000030h]5_2_0146E420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146E420 mov eax, dword ptr fs:[00000030h]5_2_0146E420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146E420 mov eax, dword ptr fs:[00000030h]5_2_0146E420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F6420 mov eax, dword ptr fs:[00000030h]5_2_014F6420
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA430 mov eax, dword ptr fs:[00000030h]5_2_014AA430
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014704E5 mov ecx, dword ptr fs:[00000030h]5_2_014704E5
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0152A49A mov eax, dword ptr fs:[00000030h]5_2_0152A49A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014764AB mov eax, dword ptr fs:[00000030h]5_2_014764AB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A44B0 mov ecx, dword ptr fs:[00000030h]5_2_014A44B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FA4B0 mov eax, dword ptr fs:[00000030h]5_2_014FA4B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A674D mov esi, dword ptr fs:[00000030h]5_2_014A674D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A674D mov eax, dword ptr fs:[00000030h]5_2_014A674D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A674D mov eax, dword ptr fs:[00000030h]5_2_014A674D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FE75D mov eax, dword ptr fs:[00000030h]5_2_014FE75D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470750 mov eax, dword ptr fs:[00000030h]5_2_01470750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F4755 mov eax, dword ptr fs:[00000030h]5_2_014F4755
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2750 mov eax, dword ptr fs:[00000030h]5_2_014B2750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2750 mov eax, dword ptr fs:[00000030h]5_2_014B2750
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01478770 mov eax, dword ptr fs:[00000030h]5_2_01478770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480770 mov eax, dword ptr fs:[00000030h]5_2_01480770
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC700 mov eax, dword ptr fs:[00000030h]5_2_014AC700
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470710 mov eax, dword ptr fs:[00000030h]5_2_01470710
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A0710 mov eax, dword ptr fs:[00000030h]5_2_014A0710
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC720 mov eax, dword ptr fs:[00000030h]5_2_014AC720
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC720 mov eax, dword ptr fs:[00000030h]5_2_014AC720
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A273C mov eax, dword ptr fs:[00000030h]5_2_014A273C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A273C mov ecx, dword ptr fs:[00000030h]5_2_014A273C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A273C mov eax, dword ptr fs:[00000030h]5_2_014A273C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EC730 mov eax, dword ptr fs:[00000030h]5_2_014EC730
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147C7C0 mov eax, dword ptr fs:[00000030h]5_2_0147C7C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F07C3 mov eax, dword ptr fs:[00000030h]5_2_014F07C3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014927ED mov eax, dword ptr fs:[00000030h]5_2_014927ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014927ED mov eax, dword ptr fs:[00000030h]5_2_014927ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014927ED mov eax, dword ptr fs:[00000030h]5_2_014927ED
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FE7E1 mov eax, dword ptr fs:[00000030h]5_2_014FE7E1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014747FB mov eax, dword ptr fs:[00000030h]5_2_014747FB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014747FB mov eax, dword ptr fs:[00000030h]5_2_014747FB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151678E mov eax, dword ptr fs:[00000030h]5_2_0151678E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014707AF mov eax, dword ptr fs:[00000030h]5_2_014707AF
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015247A0 mov eax, dword ptr fs:[00000030h]5_2_015247A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148C640 mov eax, dword ptr fs:[00000030h]5_2_0148C640
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA660 mov eax, dword ptr fs:[00000030h]5_2_014AA660
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA660 mov eax, dword ptr fs:[00000030h]5_2_014AA660
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153866E mov eax, dword ptr fs:[00000030h]5_2_0153866E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153866E mov eax, dword ptr fs:[00000030h]5_2_0153866E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A2674 mov eax, dword ptr fs:[00000030h]5_2_014A2674
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148260B mov eax, dword ptr fs:[00000030h]5_2_0148260B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE609 mov eax, dword ptr fs:[00000030h]5_2_014EE609
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B2619 mov eax, dword ptr fs:[00000030h]5_2_014B2619
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A6620 mov eax, dword ptr fs:[00000030h]5_2_014A6620
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A8620 mov eax, dword ptr fs:[00000030h]5_2_014A8620
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147262C mov eax, dword ptr fs:[00000030h]5_2_0147262C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0148E627 mov eax, dword ptr fs:[00000030h]5_2_0148E627
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA6C7 mov ebx, dword ptr fs:[00000030h]5_2_014AA6C7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA6C7 mov eax, dword ptr fs:[00000030h]5_2_014AA6C7
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE6F2 mov eax, dword ptr fs:[00000030h]5_2_014EE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE6F2 mov eax, dword ptr fs:[00000030h]5_2_014EE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE6F2 mov eax, dword ptr fs:[00000030h]5_2_014EE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE6F2 mov eax, dword ptr fs:[00000030h]5_2_014EE6F2
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F06F1 mov eax, dword ptr fs:[00000030h]5_2_014F06F1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F06F1 mov eax, dword ptr fs:[00000030h]5_2_014F06F1
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474690 mov eax, dword ptr fs:[00000030h]5_2_01474690
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474690 mov eax, dword ptr fs:[00000030h]5_2_01474690
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC6A6 mov eax, dword ptr fs:[00000030h]5_2_014AC6A6
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A66B0 mov eax, dword ptr fs:[00000030h]5_2_014A66B0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F0946 mov eax, dword ptr fs:[00000030h]5_2_014F0946
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544940 mov eax, dword ptr fs:[00000030h]5_2_01544940
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B096E mov eax, dword ptr fs:[00000030h]5_2_014B096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B096E mov edx, dword ptr fs:[00000030h]5_2_014B096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014B096E mov eax, dword ptr fs:[00000030h]5_2_014B096E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01514978 mov eax, dword ptr fs:[00000030h]5_2_01514978
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01514978 mov eax, dword ptr fs:[00000030h]5_2_01514978
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01496962 mov eax, dword ptr fs:[00000030h]5_2_01496962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01496962 mov eax, dword ptr fs:[00000030h]5_2_01496962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01496962 mov eax, dword ptr fs:[00000030h]5_2_01496962
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FC97C mov eax, dword ptr fs:[00000030h]5_2_014FC97C
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE908 mov eax, dword ptr fs:[00000030h]5_2_014EE908
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EE908 mov eax, dword ptr fs:[00000030h]5_2_014EE908
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FC912 mov eax, dword ptr fs:[00000030h]5_2_014FC912
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01468918 mov eax, dword ptr fs:[00000030h]5_2_01468918
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01468918 mov eax, dword ptr fs:[00000030h]5_2_01468918
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F892A mov eax, dword ptr fs:[00000030h]5_2_014F892A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0150892B mov eax, dword ptr fs:[00000030h]5_2_0150892B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153A9D3 mov eax, dword ptr fs:[00000030h]5_2_0153A9D3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015069C0 mov eax, dword ptr fs:[00000030h]5_2_015069C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A9D0 mov eax, dword ptr fs:[00000030h]5_2_0147A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A9D0 mov eax, dword ptr fs:[00000030h]5_2_0147A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A9D0 mov eax, dword ptr fs:[00000030h]5_2_0147A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A9D0 mov eax, dword ptr fs:[00000030h]5_2_0147A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A9D0 mov eax, dword ptr fs:[00000030h]5_2_0147A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147A9D0 mov eax, dword ptr fs:[00000030h]5_2_0147A9D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A49D0 mov eax, dword ptr fs:[00000030h]5_2_014A49D0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FE9E0 mov eax, dword ptr fs:[00000030h]5_2_014FE9E0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A29F9 mov eax, dword ptr fs:[00000030h]5_2_014A29F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A29F9 mov eax, dword ptr fs:[00000030h]5_2_014A29F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014829A0 mov eax, dword ptr fs:[00000030h]5_2_014829A0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014709AD mov eax, dword ptr fs:[00000030h]5_2_014709AD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014709AD mov eax, dword ptr fs:[00000030h]5_2_014709AD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F89B3 mov esi, dword ptr fs:[00000030h]5_2_014F89B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F89B3 mov eax, dword ptr fs:[00000030h]5_2_014F89B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014F89B3 mov eax, dword ptr fs:[00000030h]5_2_014F89B3
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01482840 mov ecx, dword ptr fs:[00000030h]5_2_01482840
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474859 mov eax, dword ptr fs:[00000030h]5_2_01474859
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01474859 mov eax, dword ptr fs:[00000030h]5_2_01474859
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A0854 mov eax, dword ptr fs:[00000030h]5_2_014A0854
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01506870 mov eax, dword ptr fs:[00000030h]5_2_01506870
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01506870 mov eax, dword ptr fs:[00000030h]5_2_01506870
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FE872 mov eax, dword ptr fs:[00000030h]5_2_014FE872
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FE872 mov eax, dword ptr fs:[00000030h]5_2_014FE872
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FC810 mov eax, dword ptr fs:[00000030h]5_2_014FC810
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151483A mov eax, dword ptr fs:[00000030h]5_2_0151483A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151483A mov eax, dword ptr fs:[00000030h]5_2_0151483A
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AA830 mov eax, dword ptr fs:[00000030h]5_2_014AA830
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492835 mov eax, dword ptr fs:[00000030h]5_2_01492835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492835 mov eax, dword ptr fs:[00000030h]5_2_01492835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492835 mov eax, dword ptr fs:[00000030h]5_2_01492835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492835 mov ecx, dword ptr fs:[00000030h]5_2_01492835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492835 mov eax, dword ptr fs:[00000030h]5_2_01492835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01492835 mov eax, dword ptr fs:[00000030h]5_2_01492835
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149E8C0 mov eax, dword ptr fs:[00000030h]5_2_0149E8C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_015408C0 mov eax, dword ptr fs:[00000030h]5_2_015408C0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC8F9 mov eax, dword ptr fs:[00000030h]5_2_014AC8F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AC8F9 mov eax, dword ptr fs:[00000030h]5_2_014AC8F9
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153A8E4 mov eax, dword ptr fs:[00000030h]5_2_0153A8E4
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470887 mov eax, dword ptr fs:[00000030h]5_2_01470887
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FC89D mov eax, dword ptr fs:[00000030h]5_2_014FC89D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151EB50 mov eax, dword ptr fs:[00000030h]5_2_0151EB50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01542B57 mov eax, dword ptr fs:[00000030h]5_2_01542B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01542B57 mov eax, dword ptr fs:[00000030h]5_2_01542B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01542B57 mov eax, dword ptr fs:[00000030h]5_2_01542B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01542B57 mov eax, dword ptr fs:[00000030h]5_2_01542B57
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01506B40 mov eax, dword ptr fs:[00000030h]5_2_01506B40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01506B40 mov eax, dword ptr fs:[00000030h]5_2_01506B40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0153AB40 mov eax, dword ptr fs:[00000030h]5_2_0153AB40
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01518B42 mov eax, dword ptr fs:[00000030h]5_2_01518B42
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01468B50 mov eax, dword ptr fs:[00000030h]5_2_01468B50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01524B4B mov eax, dword ptr fs:[00000030h]5_2_01524B4B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01524B4B mov eax, dword ptr fs:[00000030h]5_2_01524B4B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0146CB7E mov eax, dword ptr fs:[00000030h]5_2_0146CB7E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014EEB1D mov eax, dword ptr fs:[00000030h]5_2_014EEB1D
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01544B00 mov eax, dword ptr fs:[00000030h]5_2_01544B00
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149EB20 mov eax, dword ptr fs:[00000030h]5_2_0149EB20
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149EB20 mov eax, dword ptr fs:[00000030h]5_2_0149EB20
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01538B28 mov eax, dword ptr fs:[00000030h]5_2_01538B28
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01538B28 mov eax, dword ptr fs:[00000030h]5_2_01538B28
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151EBD0 mov eax, dword ptr fs:[00000030h]5_2_0151EBD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01490BCB mov eax, dword ptr fs:[00000030h]5_2_01490BCB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01490BCB mov eax, dword ptr fs:[00000030h]5_2_01490BCB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01490BCB mov eax, dword ptr fs:[00000030h]5_2_01490BCB
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470BCD mov eax, dword ptr fs:[00000030h]5_2_01470BCD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470BCD mov eax, dword ptr fs:[00000030h]5_2_01470BCD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470BCD mov eax, dword ptr fs:[00000030h]5_2_01470BCD
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149EBFC mov eax, dword ptr fs:[00000030h]5_2_0149EBFC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01478BF0 mov eax, dword ptr fs:[00000030h]5_2_01478BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01478BF0 mov eax, dword ptr fs:[00000030h]5_2_01478BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01478BF0 mov eax, dword ptr fs:[00000030h]5_2_01478BF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FCBF0 mov eax, dword ptr fs:[00000030h]5_2_014FCBF0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01524BB0 mov eax, dword ptr fs:[00000030h]5_2_01524BB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01524BB0 mov eax, dword ptr fs:[00000030h]5_2_01524BB0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480BBE mov eax, dword ptr fs:[00000030h]5_2_01480BBE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480BBE mov eax, dword ptr fs:[00000030h]5_2_01480BBE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480A5B mov eax, dword ptr fs:[00000030h]5_2_01480A5B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01480A5B mov eax, dword ptr fs:[00000030h]5_2_01480A5B
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01476A50 mov eax, dword ptr fs:[00000030h]5_2_01476A50
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ACA6F mov eax, dword ptr fs:[00000030h]5_2_014ACA6F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ACA6F mov eax, dword ptr fs:[00000030h]5_2_014ACA6F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ACA6F mov eax, dword ptr fs:[00000030h]5_2_014ACA6F
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0151EA60 mov eax, dword ptr fs:[00000030h]5_2_0151EA60
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ECA72 mov eax, dword ptr fs:[00000030h]5_2_014ECA72
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ECA72 mov eax, dword ptr fs:[00000030h]5_2_014ECA72
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014FCA11 mov eax, dword ptr fs:[00000030h]5_2_014FCA11
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0149EA2E mov eax, dword ptr fs:[00000030h]5_2_0149EA2E
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ACA24 mov eax, dword ptr fs:[00000030h]5_2_014ACA24
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014ACA38 mov eax, dword ptr fs:[00000030h]5_2_014ACA38
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01494A35 mov eax, dword ptr fs:[00000030h]5_2_01494A35
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01494A35 mov eax, dword ptr fs:[00000030h]5_2_01494A35
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C6ACC mov eax, dword ptr fs:[00000030h]5_2_014C6ACC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C6ACC mov eax, dword ptr fs:[00000030h]5_2_014C6ACC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014C6ACC mov eax, dword ptr fs:[00000030h]5_2_014C6ACC
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_01470AD0 mov eax, dword ptr fs:[00000030h]5_2_01470AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A4AD0 mov eax, dword ptr fs:[00000030h]5_2_014A4AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014A4AD0 mov eax, dword ptr fs:[00000030h]5_2_014A4AD0
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AAAEE mov eax, dword ptr fs:[00000030h]5_2_014AAAEE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_014AAAEE mov eax, dword ptr fs:[00000030h]5_2_014AAAEE
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147EA80 mov eax, dword ptr fs:[00000030h]5_2_0147EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147EA80 mov eax, dword ptr fs:[00000030h]5_2_0147EA80
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeCode function: 5_2_0147EA80 mov eax, dword ptr fs:[00000030h]5_2_0147EA80
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeMemory written: C:\Users\user\Desktop\PO-0005082025 pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeProcess created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Users\user\Desktop\PO-0005082025 pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO-0005082025 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2343499066.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.5520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.5520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.3dc9970.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1553470146.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1540455021.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2343499066.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.5520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.5520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO-0005082025 pdf.exe.3dc9970.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1553470146.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1540455021.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping2
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials12
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587579 Sample: PO-0005082025 pdf.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 96 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected PureLog Stealer 2->22 24 Yara detected FormBook 2->24 26 5 other signatures 2->26 7 PO-0005082025 pdf.exe 4 2->7         started        process3 file4 18 C:\Users\user\...\PO-0005082025 pdf.exe.log, ASCII 7->18 dropped 28 Adds a directory exclusion to Windows Defender 7->28 30 Injects a PE file into a foreign processes 7->30 11 powershell.exe 23 7->11         started        14 PO-0005082025 pdf.exe 7->14         started        signatures5 process6 signatures7 32 Loading BitLocker PowerShell Module 11->32 16 conhost.exe 11->16         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO-0005082025 pdf.exe60%VirustotalBrowse
                      PO-0005082025 pdf.exe68%ReversingLabsWin32.Backdoor.FormBook
                      PO-0005082025 pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      s-part-0017.t-0009.t-msedge.net
                      		13.107.246.45
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO-0005082025 pdf.exe, 00000000.00000002.1536070906.0000000002E08000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1587579
                          Start date and time:2025-01-10 15:12:52 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 14s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:PO-0005082025 pdf.exe
                          Detection:MAL
                          Classification:mal96.troj.evad.winEXE@6/6@0/0
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 95%
                          • Number of executed functions: 39
                          • Number of non-executed functions: 270
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 172.202.163.200
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          s-part-0017.t-0009.t-msedge.netShipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 13.107.246.45
                          1712226379134618467.jsGet hashmaliciousStrela DownloaderBrowse
                          • 13.107.246.45
                          https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://app.planable.io/review/0OPaw36t6M_kGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          PDFONLINE.exeGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          OTTIMAX RFQ BID1122263.xlsxGet hashmaliciousUnknownBrowse
                          • 13.107.246.45

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0005082025 pdf.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\PO-0005082025 pdf.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1172
                          Entropy (8bit):5.338196604347723
                          Encrypted:false
                          SSDEEP:24:3AWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:wWSU4y4RQmFoUeWmfmZ9tK8NDE
                          MD5:F764F6C79360312B289540E0E909A19F
                          SHA1:099FC529B36FF3FB002E81EDE296BBFF8921A999
                          SHA-256:57E00F65B7CABA8B5C7F3C9F1C875A56B81E0C8A3C531AB6F0D1BAE47849475E
                          SHA-512:8BF0A4EEA835EA337C007732F08EBEA2C762C05DB60D79AE84DA01CB460BBE25CA9534C9E38EF055A0969EB66D6963514C91C3A7C37B76A0AF6CF65C1A3A64B5
                          Malicious:false
                          Reputation:low
                          Preview:@...e...................................&.......................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nnbjkjn.5hx.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzbwnswh.j0m.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ih3wkd2e.0kn.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihvz2los.2z4.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.755059431351127
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:PO-0005082025 pdf.exe
                          File size:791'552 bytes
                          MD5:4881b4d16acf9ff18d4f3177718d1848
                          SHA1:04b19cbc9904c3971cf9b070db387fa0c5fbd438
                          SHA256:df33cc8034f776a46c83294a6696df8c997165ce84a0a54edcd7df5eaf919d45
                          SHA512:77092a0bcbd2c962474deaf121ef4d9c3667e5a21f7034451f2c502860aa1d2570aaf930c9154646d2711fde7f80c71efd0d9981d879ae673dcc35e6e52c2e16
                          SSDEEP:24576:iVT8S0ck7UmUZtIq5EsnXu3DZoQcmwuT:iV8S0chmUZmqbnaDtlT
                          TLSH:41F402592659EC03D4A6077049E2E3F817245EDEEA01D3039BFEBDFF7C395526818292
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~g..............0......*........... ... ....@.. ....................................`................................

                          File Icon

                          Icon Hash:33362c2d36335470

                          Static PE Info

                          General

                          Entrypoint:0x4c06ee
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x677EF689 [Wed Jan 8 22:04:57 2025 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc069c0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x277c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xbe6f40xbe8005cc38bade3aa1a2deece18132dd0b46fFalse0.9178085527395013data7.759221001325472IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xc20000x277c0x2800e2592dacaf79c9517d2dba9d3ff559e5False0.87900390625data7.595888387892524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xc60000xc0x200f8c022568c28e4708c73c32af1832f66False0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xc20c80x2356PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9427371213796153
                          RT_GROUP_ICON0xc44300x14data1.05
                          RT_VERSION0xc44540x324data0.43283582089552236

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jan 10, 2025 15:13:42.203739882 CET1.1.1.1192.168.2.90x644fNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                          Jan 10, 2025 15:13:42.203739882 CET1.1.1.1192.168.2.90x644fNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:13:46
                          Start date:10/01/2025
                          Path:C:\Users\user\Desktop\PO-0005082025 pdf.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                          Imagebase:0x940000
                          File size:791'552 bytes
                          MD5 hash:4881B4D16ACF9FF18D4F3177718D1848
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1553470146.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1540455021.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:4
                          Start time:09:14:03
                          Start date:10/01/2025
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                          Imagebase:0xeb0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:09:14:03
                          Start date:10/01/2025
                          Path:C:\Users\user\Desktop\PO-0005082025 pdf.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
                          Imagebase:0x890000
                          File size:791'552 bytes
                          MD5 hash:4881B4D16ACF9FF18D4F3177718D1848
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2343499066.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:09:14:03
                          Start date:10/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff70f010000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:9.8%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:99
                            Total number of Limit Nodes:7
                            execution_graph 27233 718fde8 27234 718fe2d Wow64SetThreadContext 27233->27234 27236 718fe75 27234->27236 27129 101dea0 27130 101dee6 GetCurrentProcess 27129->27130 27132 101df31 27130->27132 27133 101df38 GetCurrentThread 27130->27133 27132->27133 27134 101df75 GetCurrentProcess 27133->27134 27135 101df6e 27133->27135 27136 101dfab GetCurrentThreadId 27134->27136 27135->27134 27138 101e004 27136->27138 27237 101e4f0 DuplicateHandle 27238 101e586 27237->27238 27117 7230130 27118 723017b ReadProcessMemory 27117->27118 27120 72301bf 27118->27120 27139 7230040 27140 7230088 WriteProcessMemory 27139->27140 27142 72300df 27140->27142 27143 7230280 27144 7232ee8 PostMessageW 27143->27144 27145 7232f54 27144->27145 27121 718f900 27122 718f940 ResumeThread 27121->27122 27124 718f971 27122->27124 27125 718fec0 27126 718ff00 VirtualAllocEx 27125->27126 27128 718ff3d 27126->27128 27239 71808a0 27240 71808e3 27239->27240 27241 7180901 MonitorFromPoint 27240->27241 27242 7180932 27240->27242 27241->27242 27146 1014668 27147 101467a 27146->27147 27148 1014686 27147->27148 27152 1014779 27147->27152 27157 1014210 27148->27157 27150 10146a5 27153 101479d 27152->27153 27163 1014878 27153->27163 27167 1014888 27153->27167 27158 101421b 27157->27158 27175 1017908 27158->27175 27160 10184bd 27179 1017918 27160->27179 27162 10184d6 27162->27150 27165 10148af 27163->27165 27164 101498c 27164->27164 27165->27164 27171 101448c 27165->27171 27169 10148af 27167->27169 27168 101498c 27168->27168 27169->27168 27170 101448c CreateActCtxA 27169->27170 27170->27168 27172 1015918 CreateActCtxA 27171->27172 27174 10159db 27172->27174 27176 1017913 27175->27176 27177 1017918 GetModuleHandleW 27176->27177 27178 101874d 27177->27178 27178->27160 27180 1017923 27179->27180 27183 101821c 27180->27183 27182 1018975 27182->27162 27184 1018227 27183->27184 27187 101824c 27184->27187 27186 1018a5a 27186->27182 27188 1018257 27187->27188 27191 101827c 27188->27191 27190 1018b4d 27190->27186 27192 1018287 27191->27192 27194 101942b 27192->27194 27197 101bad8 27192->27197 27193 1019469 27193->27190 27194->27193 27201 101dbd8 27194->27201 27205 101bb08 27197->27205 27209 101bb10 27197->27209 27198 101baee 27198->27194 27202 101dbf9 27201->27202 27203 101dc1d 27202->27203 27217 101dd88 27202->27217 27203->27193 27206 101bb10 27205->27206 27212 101bc02 27206->27212 27207 101bb1f 27207->27198 27211 101bc02 GetModuleHandleW 27209->27211 27210 101bb1f 27210->27198 27211->27210 27213 101bc19 27212->27213 27214 101bc3c 27212->27214 27213->27214 27215 101be40 GetModuleHandleW 27213->27215 27214->27207 27216 101be6d 27215->27216 27216->27207 27218 101dd95 27217->27218 27219 101ddcf 27218->27219 27221 101c900 27218->27221 27219->27203 27222 101c90b 27221->27222 27223 101eae8 27222->27223 27225 101e0fc 27222->27225 27226 101e107 27225->27226 27227 101827c GetModuleHandleW 27226->27227 27228 101eb57 27227->27228 27228->27223 27229 72306c8 27230 7230751 27229->27230 27230->27230 27231 72308b6 CreateProcessA 27230->27231 27232 7230913 27231->27232

                            Executed Functions

                            Function 07182D70 Relevance: 2.3, Strings: 1, Instructions: 1029COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 21 7182d70-7182d91 22 7182d98-7182e84 21->22 23 7182d93 21->23 25 7182e8a-7182fde 22->25 26 71836b1-71836d9 22->26 23->22 70 718367f-71836ae 25->70 71 7182fe4-718303f 25->71 29 7183dbb-7183dc4 26->29 30 7183dca-7183de1 29->30 31 71836e7-71836f0 29->31 33 71836f2 31->33 34 71836f7-71837d0 31->34 33->34 192 71837d6 call 7184020 34->192 193 71837d6 call 7184011 34->193 51 71837dc-71837e9 52 71837eb-71837f7 51->52 53 7183813 51->53 55 71837f9-71837ff 52->55 56 7183801-7183807 52->56 57 7183819-7183838 53->57 58 7183811 55->58 56->58 61 7183898-7183910 57->61 62 718383a-7183893 57->62 58->57 81 7183912-7183965 61->81 82 7183967-71839aa 61->82 75 7183db8 62->75 70->26 78 7183041 71->78 79 7183044-718304f 71->79 75->29 78->79 83 7183593-7183599 79->83 111 71839b5-71839bb 81->111 82->111 84 718359f-718361c 83->84 85 7183054-7183072 83->85 125 7183669-718366f 84->125 88 71830c9-71830de 85->88 89 7183074-7183078 85->89 91 71830e0 88->91 92 71830e5-71830fb 88->92 89->88 94 718307a-7183085 89->94 91->92 96 71830fd 92->96 97 7183102-7183119 92->97 98 71830bb-71830c1 94->98 96->97 102 718311b 97->102 103 7183120-7183136 97->103 100 71830c3-71830c4 98->100 101 7183087-718308b 98->101 105 7183147-71831b8 100->105 107 718308d 101->107 108 7183091-71830a9 101->108 102->103 109 7183138 103->109 110 718313d-7183144 103->110 112 71831ba 105->112 113 71831ce-7183346 105->113 107->108 115 71830ab 108->115 116 71830b0-71830b8 108->116 109->110 110->105 117 7183a12-7183a1e 111->117 112->113 118 71831bc-71831c8 112->118 126 7183348 113->126 127 718335c-7183497 113->127 115->116 116->98 119 71839bd-71839df 117->119 120 7183a20-7183aa7 117->120 118->113 121 71839e1 119->121 122 71839e6-7183a0f 119->122 147 7183c2c-7183c35 120->147 121->122 122->117 130 718361e-7183666 125->130 131 7183671-7183677 125->131 126->127 132 718334a-7183356 126->132 140 7183499-718349d 127->140 141 71834fb-7183510 127->141 130->125 131->70 132->127 140->141 145 718349f-71834ae 140->145 143 7183512 141->143 144 7183517-7183538 141->144 143->144 149 718353a 144->149 150 718353f-718355e 144->150 146 71834ed-71834f3 145->146 151 71834b0-71834b4 146->151 152 71834f5-71834f6 146->152 153 7183c3b-7183c96 147->153 154 7183aac-7183ac1 147->154 149->150 155 7183560 150->155 156 7183565-7183585 150->156 157 71834be-71834df 151->157 158 71834b6-71834ba 151->158 163 7183590 152->163 178 7183c98-7183ccb 153->178 179 7183ccd-7183cf7 153->179 159 7183aca-7183c20 154->159 160 7183ac3 154->160 155->156 161 718358c 156->161 162 7183587 156->162 165 71834e1 157->165 166 71834e6-71834ea 157->166 158->157 183 7183c26 159->183 160->159 167 7183b5a-7183b9a 160->167 168 7183b9f-7183bdf 160->168 169 7183ad0-7183b10 160->169 170 7183b15-7183b55 160->170 161->163 162->161 163->83 165->166 166->146 167->183 168->183 169->183 170->183 187 7183d00-7183dac 178->187 179->187 183->147 187->75 192->51 193->51
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: \ lw
                            • API String ID: 0-2684086738
                            • Opcode ID: 44cffedd8e56a6dc9f3330e42743a1a9271b277367239f13a5488c53b12148d8
                            • Instruction ID: 26230cb66683209b3e4fbc5b329eca251f8c394b8ce066d1bd596b94cb92362d
                            • Opcode Fuzzy Hash: 44cffedd8e56a6dc9f3330e42743a1a9271b277367239f13a5488c53b12148d8
                            • Instruction Fuzzy Hash: 21B2C075E00228CFDB65DF69C984ADDBBB2BF89300F1581E9D509AB265DB319E81CF40
                            Function 07185E50 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e32bd5ae1ca2777a73267ba2a268aae3f8a9dc7f25ab22011e49d47068430fcf
                            • Instruction ID: c6cc2a5588544d6f104e350c59f39ab1cc095b640223d5c736fe92b3e942f77d
                            • Opcode Fuzzy Hash: e32bd5ae1ca2777a73267ba2a268aae3f8a9dc7f25ab22011e49d47068430fcf
                            • Instruction Fuzzy Hash: ED21F3B1E146598BEB58DFABC9406DEFBF3AFC9300F14C16AC428A7255EB3409468F50
                            Function 07185E60 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6d7815395c8e460e74dc867ac786cbc3b255cf5234ff44f464fef4f93cfd874
                            • Instruction ID: 8a5d68af49d1bfa55f07b5a8f2dff4a807267ba00e50ee0f2fd76dc270197d97
                            • Opcode Fuzzy Hash: e6d7815395c8e460e74dc867ac786cbc3b255cf5234ff44f464fef4f93cfd874
                            • Instruction Fuzzy Hash: 7E21B3B1E14619CBEB58DFABC94069EFBF6AFC9300F14C16AC428A7255EB3419468F50
                            Function 0101DEA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0101DF1E
                            • GetCurrentThread.KERNEL32 ref: 0101DF5B
                            • GetCurrentProcess.KERNEL32 ref: 0101DF98
                            • GetCurrentThreadId.KERNEL32 ref: 0101DFF1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1530074172.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1010000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 8e90246111f7eb923986d60480b29755aad0e31165dc436be34f4b382b89708a
                            • Instruction ID: 84148ab819ee2871539783916875ba8eba3cce3b7327dbf071c76b8d1886a2e5
                            • Opcode Fuzzy Hash: 8e90246111f7eb923986d60480b29755aad0e31165dc436be34f4b382b89708a
                            • Instruction Fuzzy Hash: 535146B09006498FEB15CFAAD548B9EBBF1FF88304F20845DE419A73A4D778A944CF65
                            Function 072306C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 194 72306c8-723075d 196 7230796-72307b6 194->196 197 723075f-7230769 194->197 202 72307b8-72307c2 196->202 203 72307ef-723081e 196->203 197->196 198 723076b-723076d 197->198 200 7230790-7230793 198->200 201 723076f-7230779 198->201 200->196 204 723077b 201->204 205 723077d-723078c 201->205 202->203 207 72307c4-72307c6 202->207 213 7230820-723082a 203->213 214 7230857-7230911 CreateProcessA 203->214 204->205 205->205 206 723078e 205->206 206->200 208 72307e9-72307ec 207->208 209 72307c8-72307d2 207->209 208->203 211 72307d6-72307e5 209->211 212 72307d4 209->212 211->211 216 72307e7 211->216 212->211 213->214 215 723082c-723082e 213->215 225 7230913-7230919 214->225 226 723091a-72309a0 214->226 217 7230851-7230854 215->217 218 7230830-723083a 215->218 216->208 217->214 220 723083e-723084d 218->220 221 723083c 218->221 220->220 222 723084f 220->222 221->220 222->217 225->226 236 72309a2-72309a6 226->236 237 72309b0-72309b4 226->237 236->237 238 72309a8 236->238 239 72309b6-72309ba 237->239 240 72309c4-72309c8 237->240 238->237 239->240 241 72309bc 239->241 242 72309ca-72309ce 240->242 243 72309d8-72309dc 240->243 241->240 242->243 244 72309d0 242->244 245 72309ee-72309f5 243->245 246 72309de-72309e4 243->246 244->243 247 72309f7-7230a06 245->247 248 7230a0c 245->248 246->245 247->248
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072308FE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554952708.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: true
                            • Associated: 00000000.00000002.1554664589.00000000071A0000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_71a0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 43d4c4c097075dbf4ac0c6683f3b1c3ffceafae860dc6299ce1d1fa28e670c9b
                            • Instruction ID: 8c4a74fe39b675c627503b5267e7c0d7adbaac1fc6de5af85956d844dc288a5e
                            • Opcode Fuzzy Hash: 43d4c4c097075dbf4ac0c6683f3b1c3ffceafae860dc6299ce1d1fa28e670c9b
                            • Instruction Fuzzy Hash: 9E915DB1D1031ACFEB20CF68C8417EEBBB2BF48714F148169D849A7250DB749985CFA1
                            Function 0101BC02 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 250 101bc02-101bc17 251 101bc43-101bc47 250->251 252 101bc19-101bc26 call 101aeec 250->252 253 101bc49-101bc53 251->253 254 101bc5b-101bc9c 251->254 259 101bc28 252->259 260 101bc3c 252->260 253->254 261 101bca9-101bcb7 254->261 262 101bc9e-101bca6 254->262 307 101bc2e call 101be90 259->307 308 101bc2e call 101bea0 259->308 260->251 263 101bcb9-101bcbe 261->263 264 101bcdb-101bcdd 261->264 262->261 267 101bcc0-101bcc7 call 101aef8 263->267 268 101bcc9 263->268 266 101bce0-101bce7 264->266 265 101bc34-101bc36 265->260 269 101bd78-101bdb4 265->269 270 101bcf4-101bcfb 266->270 271 101bce9-101bcf1 266->271 273 101bccb-101bcd9 267->273 268->273 295 101bdb6-101bdf0 269->295 274 101bd08-101bd11 call 101af08 270->274 275 101bcfd-101bd05 270->275 271->270 273->266 281 101bd13-101bd1b 274->281 282 101bd1e-101bd23 274->282 275->274 281->282 283 101bd41-101bd4e 282->283 284 101bd25-101bd2c 282->284 290 101bd71-101bd77 283->290 291 101bd50-101bd6e 283->291 284->283 286 101bd2e-101bd3e call 101af18 call 101af28 284->286 286->283 291->290 301 101bdf2-101be38 295->301 302 101be40-101be6b GetModuleHandleW 301->302 303 101be3a-101be3d 301->303 304 101be74-101be88 302->304 305 101be6d-101be73 302->305 303->302 305->304 307->265 308->265
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0101BE5E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1530074172.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1010000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 9c565bfa2b66c0efd8341abe2e4ef598612088e9919245009c8115614f29c8cf
                            • Instruction ID: 54a440315c33b224edeeef3d125bb40ba0b794c289a7f37f6d7e353d94b3008e
                            • Opcode Fuzzy Hash: 9c565bfa2b66c0efd8341abe2e4ef598612088e9919245009c8115614f29c8cf
                            • Instruction Fuzzy Hash: 26815670A00B058FE765DF6AD44179ABBF1FF88304F008A2DD48ADBA54DB79E845CB91
                            Function 0101590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 309 101590d-10159d9 CreateActCtxA 311 10159e2-1015a3c 309->311 312 10159db-10159e1 309->312 319 1015a4b-1015a4f 311->319 320 1015a3e-1015a41 311->320 312->311 321 1015a51-1015a5d 319->321 322 1015a60 319->322 320->319 321->322 324 1015a61 322->324 324->324
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 010159C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1530074172.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1010000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: e80ca903350ca9fae86522c4d6950d14bc0bb8dcd4b37640910d36c5d3896a47
                            • Instruction ID: 0f2096a85f5c6d0802ecf2b2611f1c2534e64d7c70d10cd561717f3b230e3be8
                            • Opcode Fuzzy Hash: e80ca903350ca9fae86522c4d6950d14bc0bb8dcd4b37640910d36c5d3896a47
                            • Instruction Fuzzy Hash: 9941CF71C00719CFDB24CFA9C884B9EBBF5BF8A704F20846AD448AB255DB756945CF50
                            Function 0101448C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 325 101448c-10159d9 CreateActCtxA 328 10159e2-1015a3c 325->328 329 10159db-10159e1 325->329 336 1015a4b-1015a4f 328->336 337 1015a3e-1015a41 328->337 329->328 338 1015a51-1015a5d 336->338 339 1015a60 336->339 337->336 338->339 341 1015a61 339->341 341->341
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 010159C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1530074172.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1010000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 2abb9fa0c3dd60901b22d04ce05fd1373a25f8a0362f9fbdb5e4d7069b88b24f
                            • Instruction ID: 308d55fe04a972e3ef143648083038fe1a4f3b1f679788622b9caa493b2b06b0
                            • Opcode Fuzzy Hash: 2abb9fa0c3dd60901b22d04ce05fd1373a25f8a0362f9fbdb5e4d7069b88b24f
                            • Instruction Fuzzy Hash: CC41D271C00719CBDB24CFA9C88478EBBF5BF8A704F20846AD448AB255DB756945CF50
                            Function 07230040 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 342 7230040-723008e 344 7230090-723009c 342->344 345 723009e-72300dd WriteProcessMemory 342->345 344->345 347 72300e6-7230116 345->347 348 72300df-72300e5 345->348 348->347
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072300D0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554952708.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: true
                            • Associated: 00000000.00000002.1554664589.00000000071A0000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_71a0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: ae0a2c83062688f18650e9794300084f658fc3bc9a9c7c09d49eae33177ac10c
                            • Instruction ID: 344519422c2453a0aca9046becf1d7b2dbbdb592c9714c3b7a4682c64ed5a265
                            • Opcode Fuzzy Hash: ae0a2c83062688f18650e9794300084f658fc3bc9a9c7c09d49eae33177ac10c
                            • Instruction Fuzzy Hash: 052139B191034A9FDB10CFA9C885BDEBBF5FF48310F14842AE958A7250C7799954CBA0
                            Function 0718FDE0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 352 718fde0-718fe33 355 718fe43-718fe46 352->355 356 718fe35-718fe41 352->356 357 718fe4d-718fe73 Wow64SetThreadContext 355->357 356->355 358 718fe7c-718feac 357->358 359 718fe75-718fe7b 357->359 359->358
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0718FE66
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 677b756b2a86181b69443beca94f3be948a6c76be552788e5e7caed336ffb5f2
                            • Instruction ID: 6ff7812ed8a44d31081a0cd716e4e14b6bb4d6bfb999ed086fa18da2eeeaf936
                            • Opcode Fuzzy Hash: 677b756b2a86181b69443beca94f3be948a6c76be552788e5e7caed336ffb5f2
                            • Instruction Fuzzy Hash: D02139B2D002098FDB10DFA9C5857EEBBF4EF49210F14842AD559B7281DB789545CF91
                            Function 071808A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 363 71808a0-71808ec 365 71808ee-7180930 MonitorFromPoint 363->365 366 7180952-718096d 363->366 369 7180939-7180944 365->369 370 7180932-7180938 365->370 374 718096f-718097c 366->374 375 7180947 call 7180a68 369->375 376 7180947 call 7180a59 369->376 370->369 372 718094d-7180950 372->374 375->372 376->372
                            APIs
                            • MonitorFromPoint.USER32(?,?,00000002), ref: 0718091F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: FromMonitorPoint
                            • String ID:
                            • API String ID: 1566494148-0
                            • Opcode ID: cb6fe7e4f68a221656e55d7edfd164c2053aa58fced2979a93d7c43b956afca0
                            • Instruction ID: 51bc3fa71fe9da908f80cc06fb2fa0ab11b4fe12ae73be819f2053f952ef205c
                            • Opcode Fuzzy Hash: cb6fe7e4f68a221656e55d7edfd164c2053aa58fced2979a93d7c43b956afca0
                            • Instruction Fuzzy Hash: BA215CB59002099FDB10EF9AD845BEEBBF5FB89310F108419E895AB384C7756904CFA1
                            Function 0718FDE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 377 718fde8-718fe33 379 718fe43-718fe73 Wow64SetThreadContext 377->379 380 718fe35-718fe41 377->380 382 718fe7c-718feac 379->382 383 718fe75-718fe7b 379->383 380->379 383->382
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0718FE66
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: f2e303eb4258f594c4a6ce008cc0941c580903eee7d0d74226946537a53db904
                            • Instruction ID: 0bfb48713cd6039ba12043daaeeb56911dce02f1523930aa430b3f98b55e7425
                            • Opcode Fuzzy Hash: f2e303eb4258f594c4a6ce008cc0941c580903eee7d0d74226946537a53db904
                            • Instruction Fuzzy Hash: 742118B19003098FDB10DFAAC4857EEBBF8EF49214F14842AD559A7241D7789A45CFA1
                            Function 07230130 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 387 7230130-72301bd ReadProcessMemory 390 72301c6-72301f6 387->390 391 72301bf-72301c5 387->391 391->390
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072301B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554952708.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: true
                            • Associated: 00000000.00000002.1554664589.00000000071A0000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_71a0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: ebea6be7228487af48ba360a829e48d084f3d20849c6bcd4a60064cfda684698
                            • Instruction ID: 6026aa257dd9444adcecdd1ec818fdbae696bd0efcd6c54a09a22c429849657a
                            • Opcode Fuzzy Hash: ebea6be7228487af48ba360a829e48d084f3d20849c6bcd4a60064cfda684698
                            • Instruction Fuzzy Hash: 542125B18003499FDB10CFAAC881BEEFBF5FF48310F14842AE558A7250D7799944CBA0
                            Function 07180890 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 400 7180890-71808ec 403 71808ee-7180930 MonitorFromPoint 400->403 404 7180952-718096d 400->404 407 7180939-7180944 403->407 408 7180932-7180938 403->408 412 718096f-718097c 404->412 413 7180947 call 7180a68 407->413 414 7180947 call 7180a59 407->414 408->407 410 718094d-7180950 410->412 413->410 414->410
                            APIs
                            • MonitorFromPoint.USER32(?,?,00000002), ref: 0718091F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: FromMonitorPoint
                            • String ID:
                            • API String ID: 1566494148-0
                            • Opcode ID: 104cb73a34dc03d5ab2211173d642cfff1dde4b145aae36038550b8af01baa30
                            • Instruction ID: a104dc55f6db3af21fef79010804c2d59ab45fb8243d72a6a2883df866fc0686
                            • Opcode Fuzzy Hash: 104cb73a34dc03d5ab2211173d642cfff1dde4b145aae36038550b8af01baa30
                            • Instruction Fuzzy Hash: 692159B5D043499FDB11DF96C845BDEBBB4FB49310F10841AE494AB381C7396948CFA1
                            Function 0101E4F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 395 101e4f0-101e584 DuplicateHandle 396 101e586-101e58c 395->396 397 101e58d-101e5aa 395->397 396->397
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0101E577
                            Memory Dump Source
                            • Source File: 00000000.00000002.1530074172.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1010000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 49a1035c0e1d6c71d04b72b11ac0c429dc1d11c8de2ef18dd366e23bee7d6bf9
                            • Instruction ID: 0fcdc9cbc7759e19ee9bd8e6271df99a44ef35309cc8d0fc949b35b7455c5e1d
                            • Opcode Fuzzy Hash: 49a1035c0e1d6c71d04b72b11ac0c429dc1d11c8de2ef18dd366e23bee7d6bf9
                            • Instruction Fuzzy Hash: ED21E2B5D002499FDB10CFAAD884ADEBBF8EB48310F14801AE958A3350D378A950CFA0
                            Function 0718F8F8 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 415 718f8f8-718f96f ResumeThread 420 718f978-718f99d 415->420 421 718f971-718f977 415->421 421->420
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 25557869f871153edc33dadcbcfa8aa7ba04bf97def15518dc87b261ab65a7cf
                            • Instruction ID: 3175da93cf2d025449a89e7b75bfff5b6dd1c20adfd4fb9c3ab011929f74f9ac
                            • Opcode Fuzzy Hash: 25557869f871153edc33dadcbcfa8aa7ba04bf97def15518dc87b261ab65a7cf
                            • Instruction Fuzzy Hash: 3A119AB6C0034A8FDB10DFA9C8447EEFBF4AF49224F24891AD169A7290CB395542CF90
                            Function 0718FEB9 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 425 718feb9-718ff03 427 718ff0a-718ff3b VirtualAllocEx 425->427 428 718ff3d-718ff43 427->428 429 718ff44-718ff69 427->429 428->429
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0718FF2E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: f323b58eadfd7dbfa30e00c9e7907d70e38147cee1378f9170e09303709db599
                            • Instruction ID: fc333b368f0cc8b9e2cde390e4c8892eafb9daa492e2f670516e5d6eb1967991
                            • Opcode Fuzzy Hash: f323b58eadfd7dbfa30e00c9e7907d70e38147cee1378f9170e09303709db599
                            • Instruction Fuzzy Hash: ED1164B68002098FDB10DFA9C9457EEBBF9FF48314F24881AE519A7250C7799940CFA0
                            Function 0718FEC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0718FF2E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: e35932118f39fbb96b42680f8ff0071bc00ed4dd639421ae385eccc71577b1ed
                            • Instruction ID: 26bd29055607e7ce205ff1961b2f3621895d87d984b1fa16ddcde6b49175c348
                            • Opcode Fuzzy Hash: e35932118f39fbb96b42680f8ff0071bc00ed4dd639421ae385eccc71577b1ed
                            • Instruction Fuzzy Hash: 411149728003499FDB10DFAAC845BDFBBF9EF49314F14841AE519A7250C7799551CFA0
                            Function 0718F900 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 7334d439dfa61147b41f37f88c2df837a5bef65e4be57aaec76e82b49148cd6d
                            • Instruction ID: 70bce696df77dc8df16027d67265b8dcd889fb3f93a59cf95a888ea49020801a
                            • Opcode Fuzzy Hash: 7334d439dfa61147b41f37f88c2df837a5bef65e4be57aaec76e82b49148cd6d
                            • Instruction Fuzzy Hash: BE113AB1D003498FDB10DFAAC4457EEFBF8EF48210F248419D559A7240C7796544CFA0
                            Function 07230280 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07232F45
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554952708.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: true
                            • Associated: 00000000.00000002.1554664589.00000000071A0000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_71a0000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: a9985f6bb7f520e860bd113a065ade1f7e64b99d7800e6294900d29706ceadac
                            • Instruction ID: 8ec3c37fdbe652b8c34748debef114bc470ab4ce0eaea7ccc452ee4ea681b253
                            • Opcode Fuzzy Hash: a9985f6bb7f520e860bd113a065ade1f7e64b99d7800e6294900d29706ceadac
                            • Instruction Fuzzy Hash: 8C11F2B5810349DFDB10CF9AC845BDEBBF8FB48310F10845AE518A7250C3B5A944CFA1
                            Function 0101BDF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0101BE5E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1530074172.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1010000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 5c5b90771e7b2e098c0861b2ec9b33d2ed107a7c23a5f401bc3dcd50da91a326
                            • Instruction ID: 23abbcdc5697f9bd17d51a804069bb1b67cd820b01f19cc930546155e02b0b21
                            • Opcode Fuzzy Hash: 5c5b90771e7b2e098c0861b2ec9b33d2ed107a7c23a5f401bc3dcd50da91a326
                            • Instruction Fuzzy Hash: 0811E0B5C006498FDB10CF9AC444BDEFBF9EB88314F10846AD559A7610D379A545CFA1
                            Function 00FBD3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529218578.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fbd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a848706cb9da7d199f88ace871099595b4779c06aad9d1252a91af029e39d2b1
                            • Instruction ID: 88c2701f272a7469b01e18e34f93c0a7129a2f28542f030177a71c496fc69f18
                            • Opcode Fuzzy Hash: a848706cb9da7d199f88ace871099595b4779c06aad9d1252a91af029e39d2b1
                            • Instruction Fuzzy Hash: 3A213772900344DFDB04DF10D9C0B66BB65FB98324F24C5A9E80A0B256D336E856EFA3
                            Function 00FBD4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529218578.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fbd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56ba1d78eeba522b09acd96c2ceef7689c97a299c333fb72d549136f8e0f4fd0
                            • Instruction ID: 670bd0a2717e0fcbfd9c140594a6839da93ee27c0544cb7af0c0617aa3ba5e44
                            • Opcode Fuzzy Hash: 56ba1d78eeba522b09acd96c2ceef7689c97a299c333fb72d549136f8e0f4fd0
                            • Instruction Fuzzy Hash: 95212572900244DFDB25DF10D9C0B66BF65FB88328F28C569E8090B256D336D856EFA3
                            Function 00FCD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529619174.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fcd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 534fffafc9870f85bd4a8649773580ddc2713601075ba3c9cf26269b18d30a9d
                            • Instruction ID: 43e3cf97f89889df24d2aa4b1bd147fcfff7a7a74a755f52f79f97271885dea7
                            • Opcode Fuzzy Hash: 534fffafc9870f85bd4a8649773580ddc2713601075ba3c9cf26269b18d30a9d
                            • Instruction Fuzzy Hash: 6521C1719442449FDB14DF18D6C1F1ABB65EB84324F24C56DD80A4B28AC336D847DA62
                            Function 00FCD1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529619174.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fcd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d551130fd25cc43246d93a36da27258b8b5322b52064e39ad6f43f5d52598f6b
                            • Instruction ID: 77479ca3bf92fbc2606c9de41397bf7b1aed02bae4ef5a45bf46a68675e19da7
                            • Opcode Fuzzy Hash: d551130fd25cc43246d93a36da27258b8b5322b52064e39ad6f43f5d52598f6b
                            • Instruction Fuzzy Hash: F1210472904345EFDB05DF10DAC1F6ABBA5FB84324F24C5BDE8094B292C336D846DA62
                            Function 00FCD005 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529619174.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fcd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f662d19baa44f7cb83e8295321e3dcc7bbc591407f3ba491bf782c18d6442ac0
                            • Instruction ID: a326fe99b9d5fd939a8d68ee983b25b15e3af9c4c61a8e99cbd424a850ee7170
                            • Opcode Fuzzy Hash: f662d19baa44f7cb83e8295321e3dcc7bbc591407f3ba491bf782c18d6442ac0
                            • Instruction Fuzzy Hash: 792183755493808FCB02CF24D590B15BF71EB46314F28C5EED8498B6A7C33A980ACB62
                            Function 00FBD4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529218578.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fbd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: 1e29d8bc5a54d6eb9cef0124311ed20d99ce3c507217475a70fb0869fa81544a
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: D111D376904280CFCB15CF10D9C4B56BF71FB94328F28C6A9D8490B656C33AD856DFA2
                            Function 00FBD3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529218578.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fbd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: a6cea54689001f28b2bb6e36c29c72bb2791e8badcb21a4e27b645518da26da9
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: 8811D376904240DFCB15CF10D5C4B56BF71FB94324F24C6A9D8090B656C33AE85ADFA2
                            Function 00FCD1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1529619174.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fcd000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction ID: 8440d6dcedab4c4f367821e314cf809fe16dabfd995b0c27ec0f066992e56fee
                            • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction Fuzzy Hash: E7119075904240DFCB15CF50DAC4B59FB71FB84324F24C6AED8494B696C33AD84ADB51

                            Non-executed Functions

                            Function 0718F0D8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea47784598d3f0169b74b7888f84eedcc4f75d02d42650cdf66958548ae2ffc9
                            • Instruction ID: f0be3357c4b94afa970701865c9a6528e475325e84772e2aaf20ac449c09dbd1
                            • Opcode Fuzzy Hash: ea47784598d3f0169b74b7888f84eedcc4f75d02d42650cdf66958548ae2ffc9
                            • Instruction Fuzzy Hash: 14E1F8B4E1021A8FDB54DFA9C580AAEFBB6FF89305F248169D414AB355D730AD42CF60
                            Function 0718DE38 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04c9e8b22d013c4b2a073a6a99dc6be058a0603b05bb9bccdd8bf41532f4f905
                            • Instruction ID: 7505a414ef5c1dc181f61056dd35efc5b947943104c0c2e3fdf12cc530eab294
                            • Opcode Fuzzy Hash: 04c9e8b22d013c4b2a073a6a99dc6be058a0603b05bb9bccdd8bf41532f4f905
                            • Instruction Fuzzy Hash: 64E107B4E1021A8FDB54DFA8C580AAEFBB2BF89305F248169D414AB359D730AD45DF60
                            Function 07182D61 Relevance: .2, Instructions: 239COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5fc40164dc1fc44ddbb863aaf66678a5ca39377c22f0a39d7b321e1628780a82
                            • Instruction ID: 9a62eae974adff068a56e59c0b8b31c159fa0a4d6a3b6d12dd2145a2b3f50b30
                            • Opcode Fuzzy Hash: 5fc40164dc1fc44ddbb863aaf66678a5ca39377c22f0a39d7b321e1628780a82
                            • Instruction Fuzzy Hash: D2C163B5E006188FDB58DF6AC944ADDBBF2BF89301F14C1A9D809AB365DB305A85CF50
                            Function 071852A8 Relevance: .2, Instructions: 188COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad0ed3b2b0bf9d41e2047d1333c061453fbe83575d58a5e0d6dd2e43874dddb4
                            • Instruction ID: 33cfd17b0bcd14db1ee0a09907e69c640f34f0e08c457df5a5062eb4baff383d
                            • Opcode Fuzzy Hash: ad0ed3b2b0bf9d41e2047d1333c061453fbe83575d58a5e0d6dd2e43874dddb4
                            • Instruction Fuzzy Hash: 4E6126B4D15209CFDF58EFA9C440AEEFBB6EF8A300F209029D819A7291DB705956CF40
                            Function 07182A78 Relevance: .2, Instructions: 165COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c82197cab83807f654c1d1a92eaab300a9ac66194f8c0a3326c50866e44dc003
                            • Instruction ID: 237c512010cdf3b7265e9a06f61fdf221d79791471cc94b62e49b0ec190fe91a
                            • Opcode Fuzzy Hash: c82197cab83807f654c1d1a92eaab300a9ac66194f8c0a3326c50866e44dc003
                            • Instruction Fuzzy Hash: 6661EC7192020A8FD748EFBAE84569A7BF3FFC9300F14C529D014AB369DB7459059F51
                            Function 07182A88 Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57b60af1346ce572fa789935c31701e22404d1129d6b38dff7457554d12e327d
                            • Instruction ID: 3347eef351a471942b3188d9665f89c9f13c7dbd37fcd2aca81286e555b65a1a
                            • Opcode Fuzzy Hash: 57b60af1346ce572fa789935c31701e22404d1129d6b38dff7457554d12e327d
                            • Instruction Fuzzy Hash: 1E61EBB1A2020A8FD748EFBAE84569EBBF3FBC9300F14C529D014AB359DB7459059F51
                            Function 0718F0C8 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1554565204.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7180000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1d29a2b0a845e13b965dade6aa07ce50bc74fa74d53436e6427ecd43ffc8264
                            • Instruction ID: 0e1ab11297b4c36e9fc304c3cdd188f2286f59752af23cd735ddb19e566500f0
                            • Opcode Fuzzy Hash: e1d29a2b0a845e13b965dade6aa07ce50bc74fa74d53436e6427ecd43ffc8264
                            • Instruction Fuzzy Hash: 27514BB4E1021A8FDB54DFA9C580AAEFBF6FF89301F248169D418A7355D7349942CFA0

                            Execution Graph

                            Execution Coverage:0.8%
                            Dynamic/Decrypted Code Coverage:6.8%
                            Signature Coverage:10.7%
                            Total number of Nodes:103
                            Total number of Limit Nodes:8
                            execution_graph 95695 4253a3 95699 4253bc 95695->95699 95696 425404 95703 42ed53 95696->95703 95699->95696 95700 425444 95699->95700 95702 425449 95699->95702 95701 42ed53 RtlFreeHeap 95700->95701 95701->95702 95706 42d023 95703->95706 95705 425414 95707 42d040 95706->95707 95708 42d051 RtlFreeHeap 95707->95708 95708->95705 95709 42ff23 95710 42fe93 95709->95710 95711 42fef0 95710->95711 95715 42ee33 95710->95715 95713 42fecd 95714 42ed53 RtlFreeHeap 95713->95714 95714->95711 95718 42cfd3 95715->95718 95717 42ee4e 95717->95713 95719 42cfed 95718->95719 95720 42cffe RtlAllocateHeap 95719->95720 95720->95717 95788 42c2d3 95789 42c2ed 95788->95789 95792 14b2df0 LdrInitializeThunk 95789->95792 95790 42c315 95792->95790 95793 42fdf3 95794 42fe03 95793->95794 95795 42fe09 95793->95795 95796 42ee33 RtlAllocateHeap 95795->95796 95797 42fe2f 95796->95797 95798 425013 95799 42502f 95798->95799 95800 425057 95799->95800 95801 42506b 95799->95801 95802 42ccc3 NtClose 95800->95802 95803 42ccc3 NtClose 95801->95803 95804 425060 95802->95804 95805 425074 95803->95805 95808 42ee73 RtlAllocateHeap 95805->95808 95807 42507f 95808->95807 95809 414373 95813 414393 95809->95813 95811 4143f2 95812 4143fc 95813->95812 95814 41bad3 RtlFreeHeap LdrInitializeThunk 95813->95814 95814->95811 95815 414193 95818 42cf33 95815->95818 95819 42cf4d 95818->95819 95822 14b2c70 LdrInitializeThunk 95819->95822 95820 4141b5 95822->95820 95823 417eb3 95824 417ed7 95823->95824 95825 417f13 LdrLoadDll 95824->95825 95826 417ede 95824->95826 95825->95826 95721 14b2b60 LdrInitializeThunk 95722 401d0d 95723 401d17 95722->95723 95726 4302c3 95723->95726 95729 42e903 95726->95729 95730 42e929 95729->95730 95739 407703 95730->95739 95732 42e93f 95738 401e16 95732->95738 95742 41b7c3 95732->95742 95734 42e95e 95735 42e973 95734->95735 95736 42d073 ExitProcess 95734->95736 95753 42d073 95735->95753 95736->95735 95756 416b73 95739->95756 95741 407710 95741->95732 95743 41b7ef 95742->95743 95774 41b6b3 95743->95774 95746 41b834 95748 41b850 95746->95748 95751 42ccc3 NtClose 95746->95751 95747 41b81c 95749 41b827 95747->95749 95780 42ccc3 95747->95780 95748->95734 95749->95734 95752 41b846 95751->95752 95752->95734 95754 42d090 95753->95754 95755 42d0a1 ExitProcess 95754->95755 95755->95738 95757 416b8d 95756->95757 95759 416ba6 95757->95759 95760 42d6f3 95757->95760 95759->95741 95762 42d70d 95760->95762 95761 42d73c 95761->95759 95762->95761 95767 42c323 95762->95767 95765 42ed53 RtlFreeHeap 95766 42d7b5 95765->95766 95766->95759 95768 42c340 95767->95768 95771 14b2c0a 95768->95771 95769 42c36c 95769->95765 95772 14b2c1f LdrInitializeThunk 95771->95772 95773 14b2c11 95771->95773 95772->95769 95773->95769 95775 41b7a9 95774->95775 95776 41b6cd 95774->95776 95775->95746 95775->95747 95783 42c3c3 95776->95783 95779 42ccc3 NtClose 95779->95775 95781 42ccdd 95780->95781 95782 42ccee NtClose 95781->95782 95782->95749 95784 42c3dd 95783->95784 95787 14b35c0 LdrInitializeThunk 95784->95787 95785 41b79d 95785->95779 95787->95785

                            Executed Functions

                            Function 00417EB3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 96 417eb3-417ecf 97 417ed7-417edc 96->97 98 417ed2 call 42f933 96->98 99 417ee2-417ef0 call 42ff33 97->99 100 417ede-417ee1 97->100 98->97 103 417f00-417f11 call 42e3d3 99->103 104 417ef2-417efd call 4301d3 99->104 109 417f13-417f27 LdrLoadDll 103->109 110 417f2a-417f2d 103->110 104->103 109->110
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417F25
                            Memory Dump Source
                            • Source File: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
                            • Instruction ID: 74b1a67ad7a1e6c5496c2b823323dd79b328b320fcbdb6ab911308b9a49c7e9b
                            • Opcode Fuzzy Hash: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
                            • Instruction Fuzzy Hash: 65011EB5E4020DABDF10DAA5DC42FDEB3B8AB54308F0041AAED0897241F675EB598B95
                            Function 0042CCC3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 121 42ccc3-42ccfc call 404b43 call 42ded3 NtClose
                            APIs
                            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CCF7
                            Memory Dump Source
                            • Source File: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
                            • Instruction ID: 7dd1565d8f3dbc3bc04d904a055674cb4cb7d7fe92152ebc39fafefd714ea547
                            • Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
                            • Instruction Fuzzy Hash: A8E04F316006147BE610AA6ADC41FD7776CDFC5714F408419FA08A7181C670B91187F4
                            Function 014B2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 135 14b2b60-14b2b6c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f831fdaea60246d1811bcb71a58c1dfc5e84060699f285aaaabec7609e2078e9
                            • Instruction ID: e261bd6771c510c6cc4b85d09347f44ada7b6a2cd6bee8ae116266f2241f679f
                            • Opcode Fuzzy Hash: f831fdaea60246d1811bcb71a58c1dfc5e84060699f285aaaabec7609e2078e9
                            • Instruction Fuzzy Hash: 13900265202401034145715D4414616400A97F0601B55C026E1014591DC63789916225
                            Function 014B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 137 14b2df0-14b2dfc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8ceb06e170678791caac64960aa6597285358bf8e7c1f88df7a1e1e1fa0eaee5
                            • Instruction ID: 828ccc0a237a16619bdf79419f6ac1cf5754ca33231f6af9e15fae3cd5d7211a
                            • Opcode Fuzzy Hash: 8ceb06e170678791caac64960aa6597285358bf8e7c1f88df7a1e1e1fa0eaee5
                            • Instruction Fuzzy Hash: 7F90023520140513D151715D4504707000997E0641F95C417A0424559DD7678A52A221
                            Function 014B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 136 14b2c70-14b2c7c LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 6d22bc511d3cb30f1fcaf3d764bdb6466bd40fa2e3e426f3e891f1c4b1e3eb82
                            • Instruction ID: d46354315feda4809157225cc4e9e577bb217d372f7939d971e6f1abc0ce5953
                            • Opcode Fuzzy Hash: 6d22bc511d3cb30f1fcaf3d764bdb6466bd40fa2e3e426f3e891f1c4b1e3eb82
                            • Instruction Fuzzy Hash: 7290023520148902D150715D840474A000597E0701F59C416A4424659DC7A789917221
                            Function 014B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 138 14b35c0-14b35cc LdrInitializeThunk
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 87b1b31ea32c33b1f8c0c9de326111c962cf6e93b9cfb02e00d2d61babbb24a0
                            • Instruction ID: 05bbcc334d6f1bb7c6a26238a2e0000e99ae7c7912575b3400f07d71cdf0415c
                            • Opcode Fuzzy Hash: 87b1b31ea32c33b1f8c0c9de326111c962cf6e93b9cfb02e00d2d61babbb24a0
                            • Instruction Fuzzy Hash: F690023560550502D140715D4514706100597E0601F65C416A0424569DC7A78A5166A2
                            Function 0042D023 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 116 42d023-42d067 call 404b43 call 42ded3 RtlFreeHeap
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4E8B0446,00000007,00000000,00000004,00000000,00417735,000000F4), ref: 0042D062
                            Memory Dump Source
                            • Source File: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
                            • Instruction ID: b1f67ff1680508f6b48a13b8e8d45400879f8c202f5ac700e6df5a6440d7a715
                            • Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
                            • Instruction Fuzzy Hash: B9E06D72604204BBD610EE59EC41F9B77ACDFC5714F004419FA08AB242D770B91086B8
                            Function 0042CFD3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 111 42cfd3-42d014 call 404b43 call 42ded3 RtlAllocateHeap
                            APIs
                            • RtlAllocateHeap.NTDLL(?,0041EC5B,?,?,00000000,?,0041EC5B,?,?,?), ref: 0042D00F
                            Memory Dump Source
                            • Source File: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
                            • Instruction ID: 7b03c5464cd71f7b56b57a232ca469f330cc0886600393034a38dfef118b4b2f
                            • Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
                            • Instruction Fuzzy Hash: 9AE09AB6700208BBD610EE59EC41F9B77ACEFC9710F004419FE09AB242D670B9108BB8
                            Function 0042D073 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 126 42d073-42d0af call 404b43 call 42ded3 ExitProcess
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.2342844693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_PO-0005082025 pdf.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
                            • Instruction ID: 46dd625dd64cb4bfb7d8af5c768814de95ff13fe0ff90786c18fe221300a3b06
                            • Opcode Fuzzy Hash: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
                            • Instruction Fuzzy Hash: 07E04F322002147BD510AA5ADC41FDBB7ACDBC5710F014419FA08A7182DAB0BA0187E4
                            Function 014B2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 131 14b2c0a-14b2c0f 132 14b2c1f-14b2c26 LdrInitializeThunk 131->132 133 14b2c11-14b2c18 131->133
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 7910fe6e58b6fa9c3366c62d36906164366e589ecb1583a99d2b6e82322eca6a
                            • Instruction ID: 789c734fbfb0c622aea3f23252f2e5faa66bf193c2f1c40f9ba98c2ad0509c59
                            • Opcode Fuzzy Hash: 7910fe6e58b6fa9c3366c62d36906164366e589ecb1583a99d2b6e82322eca6a
                            • Instruction Fuzzy Hash: 2FB09B719015C5C5DA51E7644608B177A1077D0701F15C067D3030653F4779D5D1E275

                            Non-executed Functions

                            Function 014F2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2160512332
                            • Opcode ID: 0caee08c0cb4ceb25f8a5bd86d7b3b5f010f365120e3431a626ad3d53205f9be
                            • Instruction ID: 1939184774b9ca07961b789b729cd315f706fe044d6af6c1f51e7e1c05814e3e
                            • Opcode Fuzzy Hash: 0caee08c0cb4ceb25f8a5bd86d7b3b5f010f365120e3431a626ad3d53205f9be
                            • Instruction Fuzzy Hash: 42929D71604342ABE721DF29C880F6BB7E8BB94754F04491EFB94973A1D7B0E845CB92
                            Function 014A8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            • Thread is in a state in which it cannot own a critical section, xrefs: 014E5543
                            • Thread identifier, xrefs: 014E553A
                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014E54E2
                            • Critical section address, xrefs: 014E5425, 014E54BC, 014E5534
                            • double initialized or corrupted critical section, xrefs: 014E5508
                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014E540A, 014E5496, 014E5519
                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014E54CE
                            • Address of the debug info found in the active list., xrefs: 014E54AE, 014E54FA
                            • Critical section address., xrefs: 014E5502
                            • corrupted critical section, xrefs: 014E54C2
                            • Invalid debug info address of this critical section, xrefs: 014E54B6
                            • undeleted critical section in freed memory, xrefs: 014E542B
                            • Critical section debug info address, xrefs: 014E541F, 014E552E
                            • 8, xrefs: 014E52E3
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                            • API String ID: 0-2368682639
                            • Opcode ID: 24ee40ed8881a187c16f41523f0cda979b6746be93520fb49a06c75fe8938ec4
                            • Instruction ID: ed2faf76a3a4a6fa92399a2da82f56619ad756e1718d724b965b5fedbc586bb6
                            • Opcode Fuzzy Hash: 24ee40ed8881a187c16f41523f0cda979b6746be93520fb49a06c75fe8938ec4
                            • Instruction Fuzzy Hash: BA81B074A00349AFEB60CF9AC845BAEBBF5FB18709F20411BF905BB261D771A945CB50
                            Function 014A29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                            Download Yara Rule
                            Strings
                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 014E2506
                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 014E2498
                            • @, xrefs: 014E259B
                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014E24C0
                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014E25EB
                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 014E2409
                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 014E2602
                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 014E2624
                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 014E2412
                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 014E261F
                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014E22E4
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                            • API String ID: 0-4009184096
                            • Opcode ID: c6c199cd0e3f901ca3d01fffc68af87fbefbb831170a8bede0f284690109af96
                            • Instruction ID: 00b2cb7274ba07af75134e4549fcf4f6680a002b567814944d5a9aea9a2f17c3
                            • Opcode Fuzzy Hash: c6c199cd0e3f901ca3d01fffc68af87fbefbb831170a8bede0f284690109af96
                            • Instruction Fuzzy Hash: 0C0280F1D002299BDB31DB54CC84FDAB7B8AB64304F4141EBE609A7261DBB09E85CF59
                            Function 01518B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                            • API String ID: 0-2515994595
                            • Opcode ID: 4745c28f2bd97cef4094f703870b1cca4ffbbc7bbee5c822c14aca53802ae81b
                            • Instruction ID: 2c3e81ab767971558a252242e56823b8d98e583d7bd5b2d3823438670f4c1849
                            • Opcode Fuzzy Hash: 4745c28f2bd97cef4094f703870b1cca4ffbbc7bbee5c822c14aca53802ae81b
                            • Instruction Fuzzy Hash: C051C0B12043019BE336CF19C884BABBBE8FF94244F54491EE959CB254E770D609CBA2
                            Function 01520274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                            • API String ID: 0-1700792311
                            • Opcode ID: eed9ec6c0682d3219544692c5a75ffa1e2e01ffe71e41012677bc4b35ed0e5a2
                            • Instruction ID: 97f71aeacfc78be7546d57a96d32930f2daa10fe340ebed7edd56165611a17cc
                            • Opcode Fuzzy Hash: eed9ec6c0682d3219544692c5a75ffa1e2e01ffe71e41012677bc4b35ed0e5a2
                            • Instruction Fuzzy Hash: EBD10D32601696DFDB22DF69C440AADBBF1FF5A704F18801AF8459F2E2C735A885CB51
                            Function 014F89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                            Download Yara Rule
                            Strings
                            • AVRF: -*- final list of providers -*- , xrefs: 014F8B8F
                            • VerifierDebug, xrefs: 014F8CA5
                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 014F8A3D
                            • VerifierFlags, xrefs: 014F8C50
                            • HandleTraces, xrefs: 014F8C8F
                            • VerifierDlls, xrefs: 014F8CBD
                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 014F8A67
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                            • API String ID: 0-3223716464
                            • Opcode ID: aa492874caee1c05daf43c0a6169de4d1b91a28593781f4e80a3ae665e3c72ba
                            • Instruction ID: 7afc6fb82ccd0fba2614166cc4e5dd676211111a61845f7c2a7304f077b3efe1
                            • Opcode Fuzzy Hash: aa492874caee1c05daf43c0a6169de4d1b91a28593781f4e80a3ae665e3c72ba
                            • Instruction Fuzzy Hash: 2691F172641347AFD722DF299880B1B7BA8AF64A54F06051EFB406F3B1E770980987D1
                            Function 0147EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                            • API String ID: 0-1109411897
                            • Opcode ID: 2406ebc4d23fc068da45147fc00aa5ffbeff0f13333d2b9b612031b196a97c5a
                            • Instruction ID: f37b17c9e25f5f36e9af1ed65fde9f63616cedba3c3f19b5637936424fb9eed4
                            • Opcode Fuzzy Hash: 2406ebc4d23fc068da45147fc00aa5ffbeff0f13333d2b9b612031b196a97c5a
                            • Instruction Fuzzy Hash: 48A24974A0562A8FDF64CF19C8987AABBB5AF45304F1442EAD91DA7760DB309EC5CF00
                            Function 014A63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-792281065
                            • Opcode ID: d43eef0a44798658e7415e39b8e76055f56f2fd862d1f3a3a6be677f3c1ec039
                            • Instruction ID: d0c466a5ede9e4bcc5702a1fee4c14bc6504912e31240abaa2615c5621db6539
                            • Opcode Fuzzy Hash: d43eef0a44798658e7415e39b8e76055f56f2fd862d1f3a3a6be677f3c1ec039
                            • Instruction Fuzzy Hash: 8E914770A00312DBEB25DF59D848BAA7BE1BB20B55F5A012FD910AF3B1D7B49802D7D4
                            Function 0146645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                            Download Yara Rule
                            Strings
                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014C99ED
                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 014C9A01
                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 014C9A2A
                            • apphelp.dll, xrefs: 01466496
                            • LdrpInitShimEngine, xrefs: 014C99F4, 014C9A07, 014C9A30
                            • minkernel\ntdll\ldrinit.c, xrefs: 014C9A11, 014C9A3A
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-204845295
                            • Opcode ID: afd168b17d14014070afe91532b7b808c17eb8208641d15f497e655f4bfae72a
                            • Instruction ID: a2bdb7a780e14b2b5a30c771c57794f1bbbc11ec330c54d73b6f23234a5ee50b
                            • Opcode Fuzzy Hash: afd168b17d14014070afe91532b7b808c17eb8208641d15f497e655f4bfae72a
                            • Instruction Fuzzy Hash: A551DD71208340AFE764DF29D841AAB77E8EB94B48F11091FF9959B271D631E904CB92
                            Function 014A2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 014E2180
                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 014E219F
                            • SXS: %s() passed the empty activation context, xrefs: 014E2165
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014E21BF
                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 014E2178
                            • RtlGetAssemblyStorageRoot, xrefs: 014E2160, 014E219A, 014E21BA
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                            • API String ID: 0-861424205
                            • Opcode ID: b50fbdb197b403dee580b5508b9ee59c83330c6fc3b1ead869153d2a1ddeff42
                            • Instruction ID: 1ffe78787fc08b1f0db6343560c19b95ee9e660db6008798341cc67c1896281f
                            • Opcode Fuzzy Hash: b50fbdb197b403dee580b5508b9ee59c83330c6fc3b1ead869153d2a1ddeff42
                            • Instruction Fuzzy Hash: 3B31263AB00211B7E7218B9A8C45F5BBAB8DB74A41F46006FFB046B361D2B0DF01D3A1
                            Function 014AC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializeImportRedirection, xrefs: 014E8177, 014E81EB
                            • LdrpInitializeProcess, xrefs: 014AC6C4
                            • Loading import redirection DLL: '%wZ', xrefs: 014E8170
                            • minkernel\ntdll\ldrredirect.c, xrefs: 014E8181, 014E81F5
                            • minkernel\ntdll\ldrinit.c, xrefs: 014AC6C3
                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 014E81E5
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-475462383
                            • Opcode ID: b3568365d04bbeeb79067ae54988b501cfa2194345afdbbbaeae181ef58cc6ae
                            • Instruction ID: d9e0f671b6db38978b081c94cc13b74334666499d07e5eebba3c02615da2d0f3
                            • Opcode Fuzzy Hash: b3568365d04bbeeb79067ae54988b501cfa2194345afdbbbaeae181ef58cc6ae
                            • Instruction Fuzzy Hash: 793113B16447069FD320EF2AD885E1BBBD5AFA0B10F01051EF9446B3B1E630EC04C7A2
                            Function 014B096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 014B2DF0: LdrInitializeThunk.NTDLL ref: 014B2DFA
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014B0BA3
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014B0BB6
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014B0D60
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014B0D74
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                            • String ID:
                            • API String ID: 1404860816-0
                            • Opcode ID: f7330297798bd7b5ed8a82c4fec2c1625e07c34b0b8d33f8a806b9ed5b0910f0
                            • Instruction ID: 306f44cbff8f3068a98754d5873b2086086067b16bf6caa142d6d834893a6932
                            • Opcode Fuzzy Hash: f7330297798bd7b5ed8a82c4fec2c1625e07c34b0b8d33f8a806b9ed5b0910f0
                            • Instruction Fuzzy Hash: 9A425971900715DFDB21CF28C884BEAB7F5BF04315F1445AAE989AB352E770AA85CF60
                            Function 0147A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                            • API String ID: 0-379654539
                            • Opcode ID: 4feae0978828f180dd8fac54d68d736610a550bb9f238065e9a5f692fb50d7e0
                            • Instruction ID: 3e38043a6680ca87b84bba34c4da449b4ebb9513021e59ae2188ff6210549d30
                            • Opcode Fuzzy Hash: 4feae0978828f180dd8fac54d68d736610a550bb9f238065e9a5f692fb50d7e0
                            • Instruction Fuzzy Hash: 55C188712083828FDB21CF68C144BAEB7E4BF84704F18496BF9958B360E775C94ACB52
                            Function 014A8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializeProcess, xrefs: 014A8422
                            • @, xrefs: 014A8591
                            • minkernel\ntdll\ldrinit.c, xrefs: 014A8421
                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 014A855E
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1918872054
                            • Opcode ID: 111e46e6792c2bc65c245a260dd22075157345c639c6cb0fd43699c0baa5225f
                            • Instruction ID: 4c01090f8c26d96e0ef9250d0ed1d099fb5b59b859020e744d3e562f17147ea8
                            • Opcode Fuzzy Hash: 111e46e6792c2bc65c245a260dd22075157345c639c6cb0fd43699c0baa5225f
                            • Instruction Fuzzy Hash: F391A571508346AFD721DF26CC44FABBAE8FFA4645F80092FFA8496161E770D944CB62
                            Function 014A273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014E22B6
                            • .Local, xrefs: 014A28D8
                            • SXS: %s() passed the empty activation context, xrefs: 014E21DE
                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014E21D9, 014E22B1
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                            • API String ID: 0-1239276146
                            • Opcode ID: 0082ad06a8be8fbd218c268dc8c38da8bde78b9de08e58369ed518c862b52f51
                            • Instruction ID: cfd4957b6469ca7b0bdaa659ff21bc03770a30dce0a659eb86db21993733fd5c
                            • Opcode Fuzzy Hash: 0082ad06a8be8fbd218c268dc8c38da8bde78b9de08e58369ed518c862b52f51
                            • Instruction Fuzzy Hash: 63A1D531A002299BDB24CF59CC88F9AB7B4BF68714F5541EBD908A7361D7709E81CF90
                            Function 014A4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 014E3456
                            • RtlDeactivateActivationContext, xrefs: 014E3425, 014E3432, 014E3451
                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 014E3437
                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 014E342A
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                            • API String ID: 0-1245972979
                            • Opcode ID: 97d7d707d0b0e0041e4b4b7bc3211165683d4c987770f56c473eb9e12a4baa8d
                            • Instruction ID: f834f396e4f1f5ef385d698617307e42b0a5387e225186a60a84297b79453a2f
                            • Opcode Fuzzy Hash: 97d7d707d0b0e0041e4b4b7bc3211165683d4c987770f56c473eb9e12a4baa8d
                            • Instruction Fuzzy Hash: 1D6100366006129BD723CF1DC845B2BB7E1AFA0B21F5E852FE9599B361C770E801CB91
                            Function 014764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 014D106B
                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 014D0FE5
                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014D10AE
                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 014D1028
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                            • API String ID: 0-1468400865
                            • Opcode ID: 759eb1b1ed7104ae374ec8f633e383021ccf79a09fce12ee25c55b830b29517d
                            • Instruction ID: 515145c975e786b3cfa46d12bc7773c1548b4e1091f95f8fc12652f11b177420
                            • Opcode Fuzzy Hash: 759eb1b1ed7104ae374ec8f633e383021ccf79a09fce12ee25c55b830b29517d
                            • Instruction Fuzzy Hash: FE7100B19047059FDB21DF19C884BDB7FA9AF64B64F01046EF9488B266D334D188DBE2
                            Function 0149245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            • LdrpDynamicShimModule, xrefs: 014DA998
                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 014DA992
                            • apphelp.dll, xrefs: 01492462
                            • minkernel\ntdll\ldrinit.c, xrefs: 014DA9A2
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-176724104
                            • Opcode ID: 38eed43e4c34f6cc2636793f2c008abac08337c49587487ea90fccdd88edd7eb
                            • Instruction ID: 201257dd91cfc449a3f887557576775c0c97996e39a541bb2dc703a601d97f39
                            • Opcode Fuzzy Hash: 38eed43e4c34f6cc2636793f2c008abac08337c49587487ea90fccdd88edd7eb
                            • Instruction Fuzzy Hash: 47314A75600202EBDF319F6E8855E6A7BB4FB90B00F26015FE9116B375C7B05945D7C0
                            Function 014829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                            Download Yara Rule
                            Strings
                            • HEAP: , xrefs: 01483264
                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0148327D
                            • HEAP[%wZ]: , xrefs: 01483255
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                            • API String ID: 0-617086771
                            • Opcode ID: a58e7f3efc175e416b27e8cbebd36cafabb9047a88785e03fe6e57b934e49bab
                            • Instruction ID: 73e4fa72fd7c6882d646dd472b78be7c6b54f4d799f4d802d8cf656ab671c8af
                            • Opcode Fuzzy Hash: a58e7f3efc175e416b27e8cbebd36cafabb9047a88785e03fe6e57b934e49bab
                            • Instruction Fuzzy Hash: 7592DD71A042499FDB25DF6CC440BAEBBF1FF48704F18806AE859AB3A1D774A946CF50
                            Function 01480770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-4253913091
                            • Opcode ID: c6283ea3e82a65145c21fbd3034427534f5bb72b1bf1cf8a168b439ecd8f66a0
                            • Instruction ID: 3ce2ae60b89a2989ae76bff9448062cf61ff7b5315e24510157cc01d675ac49f
                            • Opcode Fuzzy Hash: c6283ea3e82a65145c21fbd3034427534f5bb72b1bf1cf8a168b439ecd8f66a0
                            • Instruction Fuzzy Hash: DFF19B30A10606DFEB25DF68C894B6EB7B5FF45304F14816AE4169B3A1DB30E989CF91
                            Function 01496962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: $@
                            • API String ID: 0-1077428164
                            • Opcode ID: 5799ddae133d4df87e35a1370fd3d004745d03220f8d09d313bc4cc6986481bb
                            • Instruction ID: fc05b0bccdfcaa73bdb20c0738cf5675ff3d6bce46bed3af2b0cf4c1714a76f1
                            • Opcode Fuzzy Hash: 5799ddae133d4df87e35a1370fd3d004745d03220f8d09d313bc4cc6986481bb
                            • Instruction Fuzzy Hash: 61C29E716183419FEF25CF29C881BABBBE5AF88714F05892EF98987361D734D805CB52
                            Function 0146A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: FilterFullPath$UseFilter$\??\
                            • API String ID: 0-2779062949
                            • Opcode ID: 38d77869221217f86881fced5bb130d3dd746cd64fa769215013b29711296bcd
                            • Instruction ID: 2b377872bc2b5cab24aff176331f5bf58e1229fded323a666d2a4ff95f627347
                            • Opcode Fuzzy Hash: 38d77869221217f86881fced5bb130d3dd746cd64fa769215013b29711296bcd
                            • Instruction Fuzzy Hash: AFA18D359006299BDB71DF28CC88BEAB7B8EF54B14F1041EAD90CA7260D735AE85CF50
                            Function 01490BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                            Download Yara Rule
                            Strings
                            • LdrpCheckModule, xrefs: 014DA117
                            • Failed to allocated memory for shimmed module list, xrefs: 014DA10F
                            • minkernel\ntdll\ldrinit.c, xrefs: 014DA121
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-161242083
                            • Opcode ID: 158899d629fc82dd06d0ef7e9120a8376cd9ac8caf6d1340a53e7194b3c67989
                            • Instruction ID: ee659dfdfc4b33df2ba9076026000f41523d8fee9a168cd8e535ea13ac0f84ab
                            • Opcode Fuzzy Hash: 158899d629fc82dd06d0ef7e9120a8376cd9ac8caf6d1340a53e7194b3c67989
                            • Instruction Fuzzy Hash: 4B71E370A00206DFDF29DF6DC991AAEBBF8FB54204F15402EE415AB371E734A946CB90
                            Function 01480A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-1334570610
                            • Opcode ID: 4e80a4a50430aaa47eaeb666301c3e3cbd6aa896996995051ceb59c20a987804
                            • Instruction ID: c5a023c46c4ed43b0c207cbfac8ba5c1c8c2a1ddfd986516621aa0d0d3069350
                            • Opcode Fuzzy Hash: 4e80a4a50430aaa47eaeb666301c3e3cbd6aa896996995051ceb59c20a987804
                            • Instruction Fuzzy Hash: 81618C706103029FDB29DF68C490B6ABBE1FF55704F14856EE8598F3A2DB70E885CB91
                            Function 014AC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                            Download Yara Rule
                            Strings
                            • Failed to reallocate the system dirs string !, xrefs: 014E82D7
                            • LdrpInitializePerUserWindowsDirectory, xrefs: 014E82DE
                            • minkernel\ntdll\ldrinit.c, xrefs: 014E82E8
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1783798831
                            • Opcode ID: 297e74bf5ad996b0ed27743cbdb61663d1f86b8d905bc465e329684cee09d7ee
                            • Instruction ID: 1bbc540bba82ee27c6472ff3055debb534016186db8ff2e9a13100a8c05c7e19
                            • Opcode Fuzzy Hash: 297e74bf5ad996b0ed27743cbdb61663d1f86b8d905bc465e329684cee09d7ee
                            • Instruction Fuzzy Hash: 4E4102B5544302ABCB21EB69D984F5B7BE8AF64A50F02082FF9549B271EB70D804CBD1
                            Function 0152C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0152C1C5
                            • PreferredUILanguages, xrefs: 0152C212
                            • @, xrefs: 0152C1F1
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                            • API String ID: 0-2968386058
                            • Opcode ID: a86e5236b36227800ecb2c65627694b01bc466f44883ec38f50f047b6c0e478b
                            • Instruction ID: 09d9273f051de437a712982479e9a082e377b6e0fd118e9a967bc44b233cb3ae
                            • Opcode Fuzzy Hash: a86e5236b36227800ecb2c65627694b01bc466f44883ec38f50f047b6c0e478b
                            • Instruction Fuzzy Hash: 5D418672E00219EBDF11DFD9C881FEEB7B8BB26704F14406AE645BB291DB749A448B50
                            Function 01504144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                            • API String ID: 0-1373925480
                            • Opcode ID: d7e61441744e4e5c4811503dd70c008463e4828d463aeb743d8a631cd600658f
                            • Instruction ID: 871d0f707defea1a7044f6a15d4c48e314f3d03c65b2bc5d7c35315596c19f62
                            • Opcode Fuzzy Hash: d7e61441744e4e5c4811503dd70c008463e4828d463aeb743d8a631cd600658f
                            • Instruction Fuzzy Hash: D141E132A0064A8BEB26DFE9C840BADBBF4FF65740F14045ADA01AF7E1D7349901CB51
                            Function 014F4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 014F4888
                            • minkernel\ntdll\ldrredirect.c, xrefs: 014F4899
                            • LdrpCheckRedirection, xrefs: 014F488F
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-3154609507
                            • Opcode ID: f62eb174ee1b6078109a392b28aa0450e5022ecca94fbaf2607f62668a503ae4
                            • Instruction ID: 0d83bca4c657733db787151e4e50fc985d1fbf25a522bcb0ad22f81426954c9c
                            • Opcode Fuzzy Hash: f62eb174ee1b6078109a392b28aa0450e5022ecca94fbaf2607f62668a503ae4
                            • Instruction Fuzzy Hash: 3D41A136A046519FDB21CE5DD840A277BE4AF49A50F0A055FEE589B375DB30E801CB91
                            Function 01480BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-2558761708
                            • Opcode ID: c65a1f164fcb3221289e7062b1d326433b75ff965e93da639667a4bd881cd0fe
                            • Instruction ID: 8ee8808f78245a26390dc0e2f6e8ebec7804f1d9d2504bfdb5233cac1396a1b0
                            • Opcode Fuzzy Hash: c65a1f164fcb3221289e7062b1d326433b75ff965e93da639667a4bd881cd0fe
                            • Instruction Fuzzy Hash: D911A2313651429FDF19DA19C461B7AB7A4EF50629F18812FF806CF271DB30D849C792
                            Function 014F20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializationFailure, xrefs: 014F20FA
                            • Process initialization failed with status 0x%08lx, xrefs: 014F20F3
                            • minkernel\ntdll\ldrinit.c, xrefs: 014F2104
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2986994758
                            • Opcode ID: f970edb07f05475444eb09f3f0250da4ae2fcbc65ab81c9d602dce751e145909
                            • Instruction ID: 9e27291f84c3990d52b5e65f3784e5ea8bee8979be5e47a9c3e3dfe74306db34
                            • Opcode Fuzzy Hash: f970edb07f05475444eb09f3f0250da4ae2fcbc65ab81c9d602dce751e145909
                            • Instruction Fuzzy Hash: 90F0AF75640209ABE724E64D9D56F9A3768EB50A54F21005FFB047B3A2D2F0AA04C695
                            Function 014803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: #%u
                            • API String ID: 48624451-232158463
                            • Opcode ID: 6d34d5d4b10c15876558f2a0cd1477b5314619b4f0de939edd27471cf7bd7452
                            • Instruction ID: 9ec573c463be89db15c0fe457631d026e85715045aedcc09e44eecd9b3898f07
                            • Opcode Fuzzy Hash: 6d34d5d4b10c15876558f2a0cd1477b5314619b4f0de939edd27471cf7bd7452
                            • Instruction Fuzzy Hash: FA715B71A0114A9FDB01DFA9C990BAEB7F8BF58704F15406AE905E7361EB34ED05CBA0
                            Function 0147A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                            Download Yara Rule
                            Strings
                            • LdrResSearchResource Enter, xrefs: 0147AA13
                            • LdrResSearchResource Exit, xrefs: 0147AA25
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                            • API String ID: 0-4066393604
                            • Opcode ID: d7aae799572b90f94142014014d63c106e7d3aced1f8f8ed6852b02b37480642
                            • Instruction ID: 491772070073d114d478449e7519eadf56b172a4258b044da4fefe4a7fd2bab8
                            • Opcode Fuzzy Hash: d7aae799572b90f94142014014d63c106e7d3aced1f8f8ed6852b02b37480642
                            • Instruction Fuzzy Hash: 3CE18371A042159FEF22DFA9C990BEEBBB9BF54310F28042BEA01E7361D7749941CB51
                            Function 0153A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$`
                            • API String ID: 0-197956300
                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction ID: e90b5451c9f985aaab77dc523a4396aa06f9030c957ef326131c51d497b3d48f
                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                            • Instruction Fuzzy Hash: AAC1AB312043469BEB25CE29C881B6BBBE5BFD4318F084A2DF6D6CB290D7B5D505CB91
                            Function 014EE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Legacy$UEFI
                            • API String ID: 2994545307-634100481
                            • Opcode ID: 63c527638f54425b5523fff9ad1123f2e175f6c4ec395316a82de11b625f9410
                            • Instruction ID: c4a3883f805e08b73e8503952ba36abd6a3cff991ffe9d359b31c54cc62d5e55
                            • Opcode Fuzzy Hash: 63c527638f54425b5523fff9ad1123f2e175f6c4ec395316a82de11b625f9410
                            • Instruction Fuzzy Hash: 0B616C71E002099FDB15DFA9C884BAEBBF9FB58701F14446EE649EB2A1D731E901CB50
                            Function 015143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$MUI
                            • API String ID: 0-17815947
                            • Opcode ID: 379c5d7f25d291e12d6f1ce8b48c581007450a4c044a28fed1648d9927c48831
                            • Instruction ID: 98d61db5cab5899b147dec97e1d8f839d15a66dc60b76d56c2a7aea9cf1190b9
                            • Opcode Fuzzy Hash: 379c5d7f25d291e12d6f1ce8b48c581007450a4c044a28fed1648d9927c48831
                            • Instruction Fuzzy Hash: 3F51F971E4021DAFEF12DFA9CC90EEEBBB8FB54754F10052AE611AB294D7709905CB60
                            Function 014704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            • kLsE, xrefs: 01470540
                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0147063D
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                            • API String ID: 0-2547482624
                            • Opcode ID: 244ba596f48240f580613c3721b83cd0990988f096c7126aa7538710c57cabae
                            • Instruction ID: b8050ced7164af55c1cfb00e0ec3150d432a09d06c10af65aa07b18a591be695
                            • Opcode Fuzzy Hash: 244ba596f48240f580613c3721b83cd0990988f096c7126aa7538710c57cabae
                            • Instruction Fuzzy Hash: D051AB715057428BD724EF29C4806E7BBE4AF86304F10883FEAAA87261E770E545CB92
                            Function 0147A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0147A2FB
                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0147A309
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                            • API String ID: 0-2876891731
                            • Opcode ID: d25a9b28a23df8ca8ca8f18d47a2b3d021c79f875264bb9b5482d810a16127ce
                            • Instruction ID: fe853ea6416e9f828d3801c28189587814de326904ada65cbe46936128b489fa
                            • Opcode Fuzzy Hash: d25a9b28a23df8ca8ca8f18d47a2b3d021c79f875264bb9b5482d810a16127ce
                            • Instruction Fuzzy Hash: 48418931A04659DBEB21DF69C850BAE7BB4FF95700F2840AAE910DB3B1E3B5D901CB50
                            Function 014AA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Cleanup Group$Threadpool!
                            • API String ID: 2994545307-4008356553
                            • Opcode ID: 4ee8ad3b38632e2d89424549319d944492f9dd21f18d8581ec159dad361c7a82
                            • Instruction ID: e3cb28c5f37b281d1dc138247faba3058dfce56dc0574096be991b7b6c856927
                            • Opcode Fuzzy Hash: 4ee8ad3b38632e2d89424549319d944492f9dd21f18d8581ec159dad361c7a82
                            • Instruction Fuzzy Hash: 6A01D672140700AFD311DF14DE45F1677E8E7A4715F06893AE55CCB1A0E374D804CB45
                            Function 0147C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: MUI
                            • API String ID: 0-1339004836
                            • Opcode ID: e13e38b354ffd58fed88b35b20a324e1f87be9c92daa7442846833e37c9bf373
                            • Instruction ID: 3c4a15a1fd62dc4c6c01b321670a62334ab51b3604da369ae48743bc464a0ffd
                            • Opcode Fuzzy Hash: e13e38b354ffd58fed88b35b20a324e1f87be9c92daa7442846833e37c9bf373
                            • Instruction Fuzzy Hash: 93826E75E102199FEB25CFA9C9807EEBBB5FF48310F14816AE919AB361D7309D42CB50
                            Function 014F6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 6a0c152488761b68d003393b2828c905c1da26d5466a0ab81db12401dbf669d3
                            • Instruction ID: d67e08c0a443162aa1967d0120a04c92d129e29216c525608f419ad453a83145
                            • Opcode Fuzzy Hash: 6a0c152488761b68d003393b2828c905c1da26d5466a0ab81db12401dbf669d3
                            • Instruction Fuzzy Hash: 92916371A00219AFEB21DF95CD85FAE7BB9EF15B50F11405AF700BB2A1D775A900CB60
                            Function 0151E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 812e65641c03ed5a6e1265f42d90b0ee49e289a5629fd1effbfe958762ce501c
                            • Instruction ID: 645a1aa520e41f5789562eb13a9d06eef7c3057d9cccd82191df4b1d13177742
                            • Opcode Fuzzy Hash: 812e65641c03ed5a6e1265f42d90b0ee49e289a5629fd1effbfe958762ce501c
                            • Instruction Fuzzy Hash: 1591B072900509AEEB23AFA5CC55FEFBBB9FF55740F10001AF911AB260D774A901CB60
                            Function 014AA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: GlobalTags
                            • API String ID: 0-1106856819
                            • Opcode ID: 963f9d440a0d0b2fd295ad545b82a7bdc6e4ac37dcc15b3168c287dac8ec3fa4
                            • Instruction ID: 0e9125dae4e0947c103d007c67dbae96aa1479f8f38250efd5f84616dd6d27dd
                            • Opcode Fuzzy Hash: 963f9d440a0d0b2fd295ad545b82a7bdc6e4ac37dcc15b3168c287dac8ec3fa4
                            • Instruction Fuzzy Hash: 26716CB5E0120A8BDF29CF9DC5946AEBBF1BF68711F25812FE405AB361E7309841CB50
                            Function 01514978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: .mui
                            • API String ID: 0-1199573805
                            • Opcode ID: 01449d5948fba0d43e55bdd7f909ccd7a68337b81606e2bd8cfb21b7b7d9b4a0
                            • Instruction ID: 394e685bf25220ceae9d54fb9b9bcce2d235c50c6d33cb6ee158281864b824eb
                            • Opcode Fuzzy Hash: 01449d5948fba0d43e55bdd7f909ccd7a68337b81606e2bd8cfb21b7b7d9b4a0
                            • Instruction Fuzzy Hash: 9551B172D0022A9BEF12DF99D840AAEBBB5BF14B10F05512EEA15BF254D7749C01CBE4
                            Function 0148E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: EXT-
                            • API String ID: 0-1948896318
                            • Opcode ID: 88f0092a0864e3fbfb9c9f190c401d79e06caf7487c9330190e75978ec1c115b
                            • Instruction ID: b72f18162107408a900fcae5c262ab56a11fd3222c4a24bf91f0d2595daadfd7
                            • Opcode Fuzzy Hash: 88f0092a0864e3fbfb9c9f190c401d79e06caf7487c9330190e75978ec1c115b
                            • Instruction Fuzzy Hash: 3741A1725083129BD711FB75C840B6FB7D8AF98B14F04092FF684E7260E774D9058796
                            Function 014EC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryHash
                            • API String ID: 0-2202222882
                            • Opcode ID: 66de9abd023e59b12b578151fc9b87bdddb7ac99177beffef969a5ce06770a16
                            • Instruction ID: 45c680cf94d7efc258a2835356e2fd7d7b49792451ebf10cf10e65c70dcad47d
                            • Opcode Fuzzy Hash: 66de9abd023e59b12b578151fc9b87bdddb7ac99177beffef969a5ce06770a16
                            • Instruction Fuzzy Hash: 754164F1D0012DAADF21DA50CCC4FDEB7BCAB54715F0045AAEB08AB150DB709E888FA4
                            Function 01506B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: #
                            • API String ID: 0-1885708031
                            • Opcode ID: f6361fdc1b0eb8a56b5445a184c69eefa888168beaf1131d0de597b1814c7856
                            • Instruction ID: f7c43d52bf4a2fc4684fa1549647b560a84ec391995e198c8e15427a9cd37a51
                            • Opcode Fuzzy Hash: f6361fdc1b0eb8a56b5445a184c69eefa888168beaf1131d0de597b1814c7856
                            • Instruction Fuzzy Hash: D1310331A006199AEB23DBA9C854BEE7BB8FF14704F14402DE941AF2D2DB75D855CBA0
                            Function 014ECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryName
                            • API String ID: 0-215506332
                            • Opcode ID: d10f90c456546bd5c69e4b12ef76671a9079f8387cb3c51ad75cedccccebf81d
                            • Instruction ID: eb8123fbcc43987b24a6c74d91ddc352d69fb43c40d2e5dbaa78e73ed09cc4f3
                            • Opcode Fuzzy Hash: d10f90c456546bd5c69e4b12ef76671a9079f8387cb3c51ad75cedccccebf81d
                            • Instruction Fuzzy Hash: 9C312536D00515AFEF15DB59D889EBFBBB4EF90720F01412AE911AB260D730AE00DBE0
                            Function 014F892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            Strings
                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 014F895E
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                            • API String ID: 0-702105204
                            • Opcode ID: fdc5420c5ed528a087682e81d2dc5a1090abbc0c99f3d2457686644a8fdf6479
                            • Instruction ID: 9628d84df1ad3a8c8da7a6c3c1fdf49e0e18771c680a9eef2909d809abf440b5
                            • Opcode Fuzzy Hash: fdc5420c5ed528a087682e81d2dc5a1090abbc0c99f3d2457686644a8fdf6479
                            • Instruction Fuzzy Hash: DB01DF322102029BE7216B5ACC84E5A7B69EFA1298B04112FF7411F372CB30A885C6D2
                            Function 01512000 Relevance: .8, Instructions: 757COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9cc55c9a756c14e18d73144cb264bfa2e9aa595dfd27512b5ab84157be0593a0
                            • Instruction ID: 1f51ac1516ff8a72b98cf578aa98348a03824c4c5a501ade89f350effab463be
                            • Opcode Fuzzy Hash: 9cc55c9a756c14e18d73144cb264bfa2e9aa595dfd27512b5ab84157be0593a0
                            • Instruction Fuzzy Hash: 6C42D6356083419FF726DF69C890A6FBBE5BF98300F28092DFA869B254D770D845CB52
                            Function 01508158 Relevance: .6, Instructions: 617COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cac05b7b60d256c8392ee5452aeb97aaff833f627447950b6834c9bf4edd276d
                            • Instruction ID: ee02ce2e723067e9ac8e4c506b0817d1da76d7f3d1415475881f2357a4892b0a
                            • Opcode Fuzzy Hash: cac05b7b60d256c8392ee5452aeb97aaff833f627447950b6834c9bf4edd276d
                            • Instruction Fuzzy Hash: 7C427071E002198FEB25CFA9CC41BADBBF5BF98300F158099E949EB291D7349985CF50
                            Function 01482840 Relevance: .6, Instructions: 605COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 104999565ee35e93444352f8caa3be3cb2bbbb567564144df14fee5d3678948a
                            • Instruction ID: fe037b82d0c5616c72311f27404d8151b6bbdc035604e858f9e3cc7e584a0791
                            • Opcode Fuzzy Hash: 104999565ee35e93444352f8caa3be3cb2bbbb567564144df14fee5d3678948a
                            • Instruction Fuzzy Hash: 6132E070A007568BDF25CF69C864BBEBBF2BF84304F16411EE44A9B3A5D775A842CB50
                            Function 0151A118 Relevance: .6, Instructions: 591COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b65d4afbcf2a7ad2e7b77d9a3b023207b34c8f37e0d235c1cd41f1a9a6fc308
                            • Instruction ID: ad6cf4e0535c5c234685e0f7f5ba60485d3e61e8a080e3a5be053e4e1237e2e1
                            • Opcode Fuzzy Hash: 3b65d4afbcf2a7ad2e7b77d9a3b023207b34c8f37e0d235c1cd41f1a9a6fc308
                            • Instruction Fuzzy Hash: 4B22A0746066D18AFB27CF2DC09477ABBE1BF44300F08885AD9968F28AE375D552DB60
                            Function 01476A50 Relevance: .5, Instructions: 548COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90f3b380556f55bb9d96cc16231a5eaa08c1a7b9793c4c398a27c48f9725b944
                            • Instruction ID: 776a9947808f6795d12842da8f3852ef71aaae4fa8f6d3334654340ebeb0ac74
                            • Opcode Fuzzy Hash: 90f3b380556f55bb9d96cc16231a5eaa08c1a7b9793c4c398a27c48f9725b944
                            • Instruction Fuzzy Hash: 0432AF71A00615CFEB25CF69C490BAEBBF2FF48310F15856AE955AB361DB34E841CB90
                            Function 01494A35 Relevance: .4, Instructions: 423COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                            • Instruction ID: fb28f952dc14d14120be9d0507d4bf9b67d52321c799a0631fc479cd58a0e704
                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                            • Instruction Fuzzy Hash: 52F16E71E0021A9FDF15CF99C690BAEBFF5AF48714F09812AE905AB364E734D842CB50
                            Function 0150892B Relevance: .4, Instructions: 386COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 527301ef05231e782e91505bac06489458c21bde702f6e8b07284d127367958c
                            • Instruction ID: 0a5e60f90b1530166443d55187f880e2a97e5f08e80ad70e452cced8c287b719
                            • Opcode Fuzzy Hash: 527301ef05231e782e91505bac06489458c21bde702f6e8b07284d127367958c
                            • Instruction Fuzzy Hash: 94D1E271E00A0A8BDF16CF99C841EFEBBF1BF88314F188569D955AB281D735E905CB60
                            Function 014765D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 423b767fa8d81988e4a3b165058aef7121fea6618b199cfd6c2119348094147c
                            • Instruction ID: fea2892b5429fcc6ecd9a1863ed869197062c7523ab326a52e469240d1898218
                            • Opcode Fuzzy Hash: 423b767fa8d81988e4a3b165058aef7121fea6618b199cfd6c2119348094147c
                            • Instruction Fuzzy Hash: 6FE1A171508742CFD715DF28C090AABBBE1FF88304F06896EE99987361DB31E905CB92
                            Function 01468397 Relevance: .4, Instructions: 380COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ad5133d99bba816cec9137aa173874b2b518c7dce506dad269b860289499412
                            • Instruction ID: 76781d95609f201c4d7f8d245b3adef8e40202c2098681c290cad2cab3c8720d
                            • Opcode Fuzzy Hash: 5ad5133d99bba816cec9137aa173874b2b518c7dce506dad269b860289499412
                            • Instruction Fuzzy Hash: 27D1E4756003079BDB14CF69C881ABB77A9FF64748F04422FE916DB2A0E734D951CB62
                            Function 014F8243 Relevance: .3, Instructions: 322COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                            • Instruction ID: 7ac4fa70f0a8f077737e483581960b2965fc0c5162046c35206869d3794d44fb
                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                            • Instruction Fuzzy Hash: F8B15275A006069FDF24DF99C940AAFBBB9FF94304F14446EAB429B7A0DB34E905CB10
                            Function 01480535 Relevance: .3, Instructions: 300COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction ID: c4b729ec05971bd1ab38fc3e5d3fbe7e35021fad1ba08f40b542c48ffdd8c10e
                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction Fuzzy Hash: 40B10871600646AFDF12EB68C860BBFBBF6AF45204F18015BE5569B3A1DB30E945CB60
                            Function 014783C0 Relevance: .3, Instructions: 281COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d68b09d38c9afabb53e52d25a652cc7666018b63bb1002247f9047d3aacb7788
                            • Instruction ID: c51c609ba558486582b50dde847186c9e20dd5a4146ad327b955b0ac924e35c1
                            • Opcode Fuzzy Hash: d68b09d38c9afabb53e52d25a652cc7666018b63bb1002247f9047d3aacb7788
                            • Instruction Fuzzy Hash: 6EC169746083418FE764CF19C494BABB7E4BF98704F44492EE989873A1E774E905CF92
                            Function 0146C427 Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4890ea208eba6a0a7ec93f66715cfd3dfd3f795e34270425cf5b14a1315404c8
                            • Instruction ID: 33a08baa67f13fd803e26e8523ed062c71a54efc5756d490e39b0abdd05e23fe
                            • Opcode Fuzzy Hash: 4890ea208eba6a0a7ec93f66715cfd3dfd3f795e34270425cf5b14a1315404c8
                            • Instruction Fuzzy Hash: 95B1A470A002668BDB64CF59C880BAAB3B5EF54704F1485EFD54AE7361EB30DD86CB25
                            Function 0149E5E7 Relevance: .3, Instructions: 278COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de2853818563182e5514b569b5a55d3ea2cb01b3d9e4afd8a07e7ea9680796b8
                            • Instruction ID: 884a7b93403db070d24ba737423fbbd026fea4bb9541363752119fd5de6e40c0
                            • Opcode Fuzzy Hash: de2853818563182e5514b569b5a55d3ea2cb01b3d9e4afd8a07e7ea9680796b8
                            • Instruction Fuzzy Hash: 0FA1E131E00655ABEF31DA58C854BAEBFA4BB00B14F05016BEA11BB3B1D774AD46CBD1
                            Function 014B0185 Relevance: .3, Instructions: 276COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bbadbccc3b4261504003c41befd4ca27e7529484a9498d2741f15decc875164
                            • Instruction ID: 3f92ae0cbd17811a62127436d08103706bab5191f3f14d3d1dd4ae44f719c110
                            • Opcode Fuzzy Hash: 6bbadbccc3b4261504003c41befd4ca27e7529484a9498d2741f15decc875164
                            • Instruction Fuzzy Hash: D2A1D070B006169BDB25CF69C5D0BABB7B1FF54316F00402BEA05973A1DB38E816CBA0
                            Function 01544500 Relevance: .3, Instructions: 275COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1bf22a4b500be9bd3b34203b48534048dd57b647e199b619395e6398ab5e231
                            • Instruction ID: 24df4fd59b71a7a782c913b0ff082ca3aa2f2b6cddf302c0232725fdb69c8121
                            • Opcode Fuzzy Hash: c1bf22a4b500be9bd3b34203b48534048dd57b647e199b619395e6398ab5e231
                            • Instruction Fuzzy Hash: 28A1FD72A40212EFD721DF28C980B6ABBE9FF58708F01092DE5899F661C370EC01CB91
                            Function 01542B57 Relevance: .3, Instructions: 266COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                            • Instruction ID: 2f9ca157913505c1ea4c02c708c4a1d2b445a90d6969d8f78931c58b99bc0c68
                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                            • Instruction Fuzzy Hash: F7B14A71E0062ADFDF29CFA9D880AADBBF5FF48314F148129E955AB350D730A941CB94
                            Function 014F60E0 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22ab682ac6f85be4dfaf7198e6612684db8cb125f9a8758836886b8d56c94f32
                            • Instruction ID: 49a328fe4ec33e82b05b1a544d835caaa3162ea80ea77fa95293520c779f43ed
                            • Opcode Fuzzy Hash: 22ab682ac6f85be4dfaf7198e6612684db8cb125f9a8758836886b8d56c94f32
                            • Instruction Fuzzy Hash: 96919075D00216AFDB15DF69D880BAEBFB5EB48710F16416EE710EB361D734D9009BA0
                            Function 0148E3F0 Relevance: .3, Instructions: 261COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd9d7502ec312ba3e0442c7631571d417b4445117eae52176c93261d233db9d2
                            • Instruction ID: 06a5d87181d0e47479682220b2c1d5f56cf6cb688689d0f18e0f2b832d5af7c8
                            • Opcode Fuzzy Hash: bd9d7502ec312ba3e0442c7631571d417b4445117eae52176c93261d233db9d2
                            • Instruction Fuzzy Hash: 92910231A00616CBEB24EF9DC450B7E7BA1EB94B14F05416BE905EB3B1E734D942CBA1
                            Function 014C6ACC Relevance: .2, Instructions: 226COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c3c75bc4d707bdda5aa37cf676278693309a068425ea4cf146a6998887c32ce2
                            • Instruction ID: dc50bd8391b3ae27e23d3e9200ef8c6a957e9fb821e54f941ca17f5f81be211d
                            • Opcode Fuzzy Hash: c3c75bc4d707bdda5aa37cf676278693309a068425ea4cf146a6998887c32ce2
                            • Instruction Fuzzy Hash: 8B8192B5A006169BDB58CF69C940ABEBBF9FB48B00F05852FE445D7750E334D941CBA4
                            Function 0153AB40 Relevance: .2, Instructions: 222COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                            • Instruction ID: 402ef63c486832d91029443c99183d8e9c5ec815ae6f3e0ccfaf1001fb7747f5
                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                            • Instruction Fuzzy Hash: CE817D31A0020A9BDF19CF99C890AAEBBF2BFD4210F18856DE956DF345D734E901CB50
                            Function 014AE284 Relevance: .2, Instructions: 212COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2fd199ed6d5d1e9bff39b9ac7f3aba3cefc9418e221c48ae24577ed78566ee82
                            • Instruction ID: 12e275815e225367d79b3ef6f759a079374a19eb445e4bf3c874a7e7b6fa6c3a
                            • Opcode Fuzzy Hash: 2fd199ed6d5d1e9bff39b9ac7f3aba3cefc9418e221c48ae24577ed78566ee82
                            • Instruction Fuzzy Hash: B1817171A00609AFDB25CFA9C880AEFBBF9FF98314F51442EE555A7260D770AC45CB60
                            Function 0148C640 Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070b2500372ef69db3bfca0fe4ab59637bdb2d28ae115d2a732c1b551dc7f3f0
                            • Instruction ID: 2cab1c8756bc3dfa3671e455eaf34ae8cac2b2fd8468d6cc9bb8014be0bd0cbc
                            • Opcode Fuzzy Hash: 070b2500372ef69db3bfca0fe4ab59637bdb2d28ae115d2a732c1b551dc7f3f0
                            • Instruction Fuzzy Hash: FF71BF75D00226DBCB269F59C9907FEBBB0FF58710F14416BE956AB3A0D3309806CBA0
                            Function 015247A0 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2269f4c3ef725c8c11c3731e691830cf6feed6ef297cc777c25014acfe83b60d
                            • Instruction ID: 0b669192178b70ff47e50fea77fb272814b9ca76b475bbdc82a26fbfe18f5ff4
                            • Opcode Fuzzy Hash: 2269f4c3ef725c8c11c3731e691830cf6feed6ef297cc777c25014acfe83b60d
                            • Instruction Fuzzy Hash: 3D7181B1E00215EFDB20DF5DD940A9EBBF9FFA2300F11455AE610AF2A8C7B19944DB94
                            Function 0148260B Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2343a73e1a965ed1e038eb7b0fbaeea9683a53d8cd98ef2cb12c0e4099cd10a1
                            • Instruction ID: b913064ad7579839d7e89b96752302f0411870e341271bc1a894ae71e7706ff1
                            • Opcode Fuzzy Hash: 2343a73e1a965ed1e038eb7b0fbaeea9683a53d8cd98ef2cb12c0e4099cd10a1
                            • Instruction Fuzzy Hash: D371EE356042429FD312EF2DC480B2BB7E5FF84314F0585ABE8998B362DBB4D846CB91
                            Function 014F035C Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction ID: d2b856aeefdb72c59cd991317bd348369805d9fb2ad85bb6f2b51d5a3a9f8dbb
                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction Fuzzy Hash: E2715071900619EFDB10DFAAC944ADEBBB9FF98700F10456EE605A7361DB34EA41CB50
                            Function 015062A0 Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9bf5be3f923dd87ba83e47190b054719412a6ea0c431d13b12bc2a4823f6813b
                            • Instruction ID: a6e30019e6b329d10a282220c6d3785e2a6b9142e0ed58db1a14bf7a02e17e31
                            • Opcode Fuzzy Hash: 9bf5be3f923dd87ba83e47190b054719412a6ea0c431d13b12bc2a4823f6813b
                            • Instruction Fuzzy Hash: E871D132200B01AFEB239F99C884F5ABBE6BB50720F154818E2558B2E1D774E954CB50
                            Function 01548324 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c78a9c214abba27e0c5c2314594a667456d977036f897fd83a91997583c57724
                            • Instruction ID: 24a2a5167a7ec006eee8338dc2c1a356c4a908d1e8d73c1b60b7bb19b7a06849
                            • Opcode Fuzzy Hash: c78a9c214abba27e0c5c2314594a667456d977036f897fd83a91997583c57724
                            • Instruction Fuzzy Hash: 79710B71E00209BFDB15DFD5CC81FEEBBB8FB14354F10451AE610AA290D774AA45CBA0
                            Function 0152A250 Relevance: .2, Instructions: 184COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 387955da22cd38255f7d0c30075c9fb650d6fb6ddcc3f2a5c7786f98926c7db5
                            • Instruction ID: 7492dd073a149a4972dd886b1ca7a3bfd77623664b0388007af66c04d029d771
                            • Opcode Fuzzy Hash: 387955da22cd38255f7d0c30075c9fb650d6fb6ddcc3f2a5c7786f98926c7db5
                            • Instruction Fuzzy Hash: D451AD73504622AFD711DE68C884A5BB7E8FBD6754F01092AFA40DF190E670ED04C7E2
                            Function 01518350 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81626b2d52cb6e39d5c1518971f95cdbe30dea020a3672e558266f7f147ef781
                            • Instruction ID: a235653200a85c15d050adbac0d8bd5acac5f9f39e225f48496bbe6e1501c124
                            • Opcode Fuzzy Hash: 81626b2d52cb6e39d5c1518971f95cdbe30dea020a3672e558266f7f147ef781
                            • Instruction Fuzzy Hash: AC51A170900705DFE732DF5AC880AABFBF8BFA4714F104A1ED2965B6A4CBB0A545CB50
                            Function 014AE443 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9828608e8fc6fd96918cc6309a769a79efae41c20bd14ee00b3caafacb40a41b
                            • Instruction ID: 7293b4f57b6381a9b0815779c8d52b288a2e11280187536fa8056b3dc28b8ad3
                            • Opcode Fuzzy Hash: 9828608e8fc6fd96918cc6309a769a79efae41c20bd14ee00b3caafacb40a41b
                            • Instruction Fuzzy Hash: DC513A72200A05DFDB22EFAAC984EAAB7FDFF24684F81046EE55197270D734E945CB50
                            Function 01514180 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81c33f6c268fe3d203719211f1a74f28ae63956fd520bb4cb9319bbc4655b5ae
                            • Instruction ID: 09b94dd6fbde773c57049b396a41b6ea1940023ce46e2f70e8683631f080d975
                            • Opcode Fuzzy Hash: 81c33f6c268fe3d203719211f1a74f28ae63956fd520bb4cb9319bbc4655b5ae
                            • Instruction Fuzzy Hash: 765166B16083028FE751DF29C880A6FBBE5BBD8304F44492EF595CB254DB30D945CB52
                            Function 014945B1 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction ID: 86927ceaf824cba450c8434460c4972dd2bea408b057a487cd42aa82e385472c
                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction Fuzzy Hash: 15517C71E0020EABDF159B98C550BEEBFB5AF45750F0840ABEA05AB260D734D9468BA0
                            Function 014FE9E0 Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                            • Instruction ID: ea780fdfc25645dfee71871178c586a80a78d4ccb923d0cf3673f154d743ec7d
                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                            • Instruction Fuzzy Hash: DD517131D0020EABEB21DE95C884BAFBB65AB10226F16466FD712773B0D7749E4587A0
                            Function 01538B28 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44c11842d3a314ce9cc35f2b504f9321ebf8357fcb609bb28f1512812bde632c
                            • Instruction ID: ab331ecaddae5cdedd5c8426f22677e3e6f5d1a4147486638ebb17b71ca859e7
                            • Opcode Fuzzy Hash: 44c11842d3a314ce9cc35f2b504f9321ebf8357fcb609bb28f1512812bde632c
                            • Instruction Fuzzy Hash: AA41D4717056069BD62EDB2DC894B7FBB9AFFD0220F188719F9558F280D734D901C690
                            Function 014FCBF0 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67ad3fa30e828ddc7581bdbaf4e0ee7a785b926e12cb61b9c2066d42e1cb0bd1
                            • Instruction ID: e601ed888d87617d34672db0b68e8b600cc97d8b761c675c34369992762b7491
                            • Opcode Fuzzy Hash: 67ad3fa30e828ddc7581bdbaf4e0ee7a785b926e12cb61b9c2066d42e1cb0bd1
                            • Instruction Fuzzy Hash: 30517B7190021ADFCB20DFAAD9C0E9FBBB9FB58214B11451ED616AB760D730AD06CBD0
                            Function 014AA430 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9bd55f9c4e43fe3c7c2a6ddb5d1b7e87470df61109f627db75d74d4fac0d8305
                            • Instruction ID: f1a02010511b1e00b7ee903aaffb379c6bd36f32438c3bc78762fda6ff3071a8
                            • Opcode Fuzzy Hash: 9bd55f9c4e43fe3c7c2a6ddb5d1b7e87470df61109f627db75d74d4fac0d8305
                            • Instruction Fuzzy Hash: 2D41F5717402129FDB25EF6DD880B6A37A5AB74B08F43002FEA169F271D7719805CBA1
                            Function 0153A9D3 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                            • Instruction ID: c5fc7c85e70cb6e9e6f328ed26c6043607728d4b3eb4e1f5221896ba53a36b9d
                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                            • Instruction Fuzzy Hash: A441C4726007169FD729CF68C980A6EB7E9FFD0210B05462EE992CF640EB70ED15C790
                            Function 014A01F8 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ed56685645204af067bd37e5af413c3e086254c2dbe55a6c6b15fa08ca198dc
                            • Instruction ID: 3ad9bf3bf34acb8a2f1f703b2102657afdd7a752aaf37d0d37af516d023f42c9
                            • Opcode Fuzzy Hash: 1ed56685645204af067bd37e5af413c3e086254c2dbe55a6c6b15fa08ca198dc
                            • Instruction Fuzzy Hash: 2541BC36A002199BDB10DF99C440AEEBBB4BF68710F56816FF815E7360D7359C42CBA4
                            Function 0149EBFC Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8968bc28034ba25befa89b923d818eb8af04430230b373f36dd59a9f4448b510
                            • Instruction ID: c07f566b4d27e877745886c77fe2ca2c872fc80e4d46d6ff51634bf05553d005
                            • Opcode Fuzzy Hash: 8968bc28034ba25befa89b923d818eb8af04430230b373f36dd59a9f4448b510
                            • Instruction Fuzzy Hash: 0741B1712043429FDB24EF29C880A5BBBE5FB98214F00492FE997D7721DB71E84ACB50
                            Function 014B2750 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction ID: 6c9f86610a4161cad91f13a7fee28c622e700c7f593510501b82be8acf56193e
                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction Fuzzy Hash: CD517B75A00215CFCB15CF98C484AAEF7F2FF84711F2881AAD955A7361D770AE42CB90
                            Function 01476154 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5beeca2e84de042c247584627a864bc265841635434ac2b1cffe80af6b2af726
                            • Instruction ID: 4445871eb883159be71bc078bade39b07f159111679517301a1e1921ee9e4d40
                            • Opcode Fuzzy Hash: 5beeca2e84de042c247584627a864bc265841635434ac2b1cffe80af6b2af726
                            • Instruction Fuzzy Hash: ED51F770A005169FEB25AB28CC10BE9BBB1FF21314F0582ABD525A73E1D7745981CF80
                            Function 01470BCD Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e72f0ffe70680666a5afedbf4e0ba67e7afdc254f5ab679966461bb8d685af09
                            • Instruction ID: 16ca695cc503b367d3e911d4a9224f1cd86808f434a052be7f15fa2c28dcdd86
                            • Opcode Fuzzy Hash: e72f0ffe70680666a5afedbf4e0ba67e7afdc254f5ab679966461bb8d685af09
                            • Instruction Fuzzy Hash: 1B41C275A002299FCB61DF29C940BEE7BB4AF55B00F0100AAE908AB361D774DE81CB91
                            Function 0153866E Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction ID: 6013c9f93ceab30cc62adb85604b8a9b87d0f8fb79d1cf7a214122556e997991
                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction Fuzzy Hash: FB41C475B00206ABEB19DF99CC94AAFBBBABFD8600F244169F900AB341D774DD01C760
                            Function 01470887 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfb09ed8abda170e03e4afddc55cba1988f10b6ff20434b181737dbff699ea2e
                            • Instruction ID: c76548853210e5c762e15a2de460cf4a95719dd17f7f8da6cef9a9a9fc63b915
                            • Opcode Fuzzy Hash: cfb09ed8abda170e03e4afddc55cba1988f10b6ff20434b181737dbff699ea2e
                            • Instruction Fuzzy Hash: 8A41B1B16017029FE325DF29C580A66BBF5FF4A314B148A6FE54787B61E730E846CB90
                            Function 0149A470 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c7ad41def8ab4a4c3210ef7314e542eb7a3a7e73666430861335a2048ef1859
                            • Instruction ID: 5242d8e43e9a6d743a60bdc64dd0156925dbf83c431f31dd898cbd920923084b
                            • Opcode Fuzzy Hash: 6c7ad41def8ab4a4c3210ef7314e542eb7a3a7e73666430861335a2048ef1859
                            • Instruction Fuzzy Hash: 4C418E32A40205CFDF21DF6CC4947AEBBB0FB64324F25026AD421AB3B1DB749945DBA4
                            Function 01478BF0 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8dfa58e3c393bf4f1de243cfe8320af8fe0deb35eacb2d2a108f42e6ff77471
                            • Instruction ID: a5d5d3af8e7710b293f7861bd54a69d39a456280d5d65fc715b237c44a558d37
                            • Opcode Fuzzy Hash: e8dfa58e3c393bf4f1de243cfe8320af8fe0deb35eacb2d2a108f42e6ff77471
                            • Instruction Fuzzy Hash: 0841D032A00202CFDB259F5DC884AAABBB5FBA4714F16812FD9219B375C775D842DBD0
                            Function 01468918 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a83a1d0464a5acec0156431a188b50499ca946ab114cb1a79ac93ee33f5d4221
                            • Instruction ID: 617611a774bc4f1fcd25a1a22a7d8cef4cdb2b03a45e7c0d8fc85af1502606d2
                            • Opcode Fuzzy Hash: a83a1d0464a5acec0156431a188b50499ca946ab114cb1a79ac93ee33f5d4221
                            • Instruction Fuzzy Hash: 53417C715083069ED312DF69C841A6BB7E8EF94B98F40092FF984D7260E770DE098B93
                            Function 0146A020 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction ID: 7aaf0270e373190c5283943f16108c8dbd01dbd71de2560d958f4f78e7499133
                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction Fuzzy Hash: 4541CE75A00613DBDB11DE2D80617BBBB75EB50B98F25806FEA41EB360D6338D40CB92
                            Function 014709AD Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cad4a0cc9c30e42f8ddaf6a845b13a1f8340817f39f38890026745201a07f8af
                            • Instruction ID: 4210c4be7942ff9a916b531ced996cd2f39c342d136e81f4c1c2236c6fb3c04c
                            • Opcode Fuzzy Hash: cad4a0cc9c30e42f8ddaf6a845b13a1f8340817f39f38890026745201a07f8af
                            • Instruction Fuzzy Hash: EC4157B1641601EFD721EF19C840AAABBE4EB65714F20866BE4498B361E770E942CB90
                            Function 014A0710 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction ID: 0d303d69380197fbf9e2f198f38faab12fa62449e3a3ad24694aba698cc67816
                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction Fuzzy Hash: 3C414B75A00705EFDB24CF99C980AAABBF4FF28700B51496EE556D7260D730EA44CF54
                            Function 0147262C Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b1586315a2d46bb66fc67d8d523bce2e4fdc910a958bffe6f983d4d8d7e7bb1
                            • Instruction ID: 874103235489bc50d86d23485fcd2eac6d7ad8adb666f9da543424a1fd81c74c
                            • Opcode Fuzzy Hash: 3b1586315a2d46bb66fc67d8d523bce2e4fdc910a958bffe6f983d4d8d7e7bb1
                            • Instruction Fuzzy Hash: 59418EB1501701CFC721EF29C940A99B7F6FF64720F11856FC51A9B2B1EB709945CB91
                            Function 014AC8F9 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a03c19e98622c2343032d577c1b3acd20780d210973038f1d8dd371d87aa6779
                            • Instruction ID: 420b70b3523ab55fc170590c38a4d17f5ffdef098922a30fb0af37dcec015525
                            • Opcode Fuzzy Hash: a03c19e98622c2343032d577c1b3acd20780d210973038f1d8dd371d87aa6779
                            • Instruction Fuzzy Hash: E53179B2A01246DFDB52CF98C540799BBF4FB59728F2181AED119EB361D3369902CF90
                            Function 014F07C3 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc7c2804fedeb4c30dbe0dc76cc70b105d72f972a350f8e3873041c06bcfb17f
                            • Instruction ID: 154a766c0fdb46598f7d43571adf5d0b150cddf7e24b161d877e8b388e9b7edb
                            • Opcode Fuzzy Hash: bc7c2804fedeb4c30dbe0dc76cc70b105d72f972a350f8e3873041c06bcfb17f
                            • Instruction Fuzzy Hash: 1341AF716043019FD760DF29C845B9BBBE8FF98614F004A2EF698D7261D7709904CBD2
                            Function 014680A0 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b51edab139179db6849bc52dbc3367b4fa3a28fdbc124930b4b9bf182b39b9c
                            • Instruction ID: 4142c67f06edf425ebd2236d5441b5cce88b3a9ac223a1d7f6f7d511a3b779c5
                            • Opcode Fuzzy Hash: 7b51edab139179db6849bc52dbc3367b4fa3a28fdbc124930b4b9bf182b39b9c
                            • Instruction Fuzzy Hash: CB41D171A0471BDFCB11DF19C840AE9B7B9BB64768F14822BD815A73A0DB30ED418B91
                            Function 014F05A7 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 000c87a22002f779e111c935eafcaa92230d30407a588edd8234fb628e4525a8
                            • Instruction ID: abc01717165e3dcfa3939f2d978cc77f7dff24cb8c9c041b012bf3c59c74b2e1
                            • Opcode Fuzzy Hash: 000c87a22002f779e111c935eafcaa92230d30407a588edd8234fb628e4525a8
                            • Instruction Fuzzy Hash: 5F41D3726046419FD320DF29C840A6BB7E6FFD8700F14061EFA58877A1E730E904C7A6
                            Function 01474859 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42f9a93e3a5e822db47c9a8ef7085139c3e8538b07d816494947574972995b48
                            • Instruction ID: 69411f902ba7d6f922cd792947013eabdfdbddc2b85c3ffb1ff11e9fd9c52bb3
                            • Opcode Fuzzy Hash: 42f9a93e3a5e822db47c9a8ef7085139c3e8538b07d816494947574972995b48
                            • Instruction Fuzzy Hash: 0E41B0B02003068BD725DF2DD884B7BBBE9EF90750F19442EE6558B2B1DB70D845CB91
                            Function 01468B50 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5809dd3d243dadfb8ac00187b3fe9ddcf94243a41e26fac56f2c3d8520cbfc7f
                            • Instruction ID: ac39b2da4a22618084740a8a1331fc58d4110cc3400113bca4fbc02e953acfe4
                            • Opcode Fuzzy Hash: 5809dd3d243dadfb8ac00187b3fe9ddcf94243a41e26fac56f2c3d8520cbfc7f
                            • Instruction Fuzzy Hash: 2A41ACB1A017068FCB14CF6AC98099EBBF5FF98728B10862FD466A7370DB309941CB51
                            Function 014802E1 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction ID: 48d28d2b2f61fdfef2bd9a655f36efd313cae48a53a4d7b3ca3d81016e53943d
                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                            • Instruction Fuzzy Hash: B9312731A00244AFDB11AB69CC40BDFBBE8AF24350F0441ABF815E7362C7749848CBA0
                            Function 0151E3DB Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6000ee0f0ffd6f4a6d81b74374e3bb9f34b13fe30bb14ac45f9888ea6bca439
                            • Instruction ID: 4f50fcd4daae51a7c663ab9964e3d75b8abff410c00ad2415b8cadeee846b8a7
                            • Opcode Fuzzy Hash: e6000ee0f0ffd6f4a6d81b74374e3bb9f34b13fe30bb14ac45f9888ea6bca439
                            • Instruction Fuzzy Hash: B0319875790706ABE723AF558C81F6F7AA5FB59B50F000029FA00AF2A5DAB4DC00C7A0
                            Function 01524B4B Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7db18d16f367e4fd20b9257f67456b7fe8b914a262b85f2885713964ce5ae1de
                            • Instruction ID: a80d0709c1a176415cfb172f617a84a4c4619c302b4c7f711b50d6e8b0c1411e
                            • Opcode Fuzzy Hash: 7db18d16f367e4fd20b9257f67456b7fe8b914a262b85f2885713964ce5ae1de
                            • Instruction Fuzzy Hash: EF31D0722056218FC721DF1DD880E2ABBF5FB82360F0A446EE9959F6A5D730E804DB90
                            Function 01474260 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae285ea471204ee5be3b55948e931446d49ffc864fdc173b2d9359d598f4861d
                            • Instruction ID: d5fd8bb5490ad7d69193b047c9d60dd230600bf1d44979e477eaa91643977ba0
                            • Opcode Fuzzy Hash: ae285ea471204ee5be3b55948e931446d49ffc864fdc173b2d9359d598f4861d
                            • Instruction Fuzzy Hash: A841BD71201B059FDB22CF29C890FE77BE8AB55714F15842EE65A8B370C770E844CB90
                            Function 01524BB0 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 371d82fda2ebbf52c36c6abe9ceca79075ddb6493839162e339fa0bf7c43d637
                            • Instruction ID: 6702fba8af3ac4252f7c3517910e1b750935ae7d1fbb8067f8a783acb90f8d1c
                            • Opcode Fuzzy Hash: 371d82fda2ebbf52c36c6abe9ceca79075ddb6493839162e339fa0bf7c43d637
                            • Instruction Fuzzy Hash: E0319E726046118FD720DF2DC880E2AB7E5FB85710F06496DF965AF390E730E804CB91
                            Function 014EEB1D Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6248f3ca1466f50e2a8faf120c3392d46fd946d5947e3552a261acdb2cd4028
                            • Instruction ID: 56fabee784f1b3dd95b5c1f4f34f99127091b632564e2a795af4947ffc77ae5c
                            • Opcode Fuzzy Hash: e6248f3ca1466f50e2a8faf120c3392d46fd946d5947e3552a261acdb2cd4028
                            • Instruction Fuzzy Hash: F131C3316016829FF722DB5D8D4CB167BD9BB50B41F1900A6AB45AB7F2DB78D841C221
                            Function 015361C3 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e389c8fe0c6be8be51e351aff5d097000fb75d4b6d360748855789f771a0aeb7
                            • Instruction ID: c09e050f2d84eeb1ca6a07bc2382db31da29a766f24f71a0f4b9e1973f1416d4
                            • Opcode Fuzzy Hash: e389c8fe0c6be8be51e351aff5d097000fb75d4b6d360748855789f771a0aeb7
                            • Instruction Fuzzy Hash: 0431C175A00116ABDB15DF98C880BAEB7B5FB84B40F46416DF901AF254D7B0ED00CBA4
                            Function 0151483A Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bb68cc55dc78bea45290468cfa3180c1ee2de8da7c3f3ade9323d01f7a36dbb
                            • Instruction ID: b99b32c1ae3cb4d0388c2aefb7ebdaf9ba255e648f54b9ad330898fcffa4ddde
                            • Opcode Fuzzy Hash: 5bb68cc55dc78bea45290468cfa3180c1ee2de8da7c3f3ade9323d01f7a36dbb
                            • Instruction Fuzzy Hash: 4E316576A4012DABDF22DF55DC84BDE7BB6BB98310F1400A5E508A7264CB30DE91CF90
                            Function 0149EB20 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6612b8a5bc1feb74c37682d9f3c12feafee9c9fc36f2c251eba3293167dd8da
                            • Instruction ID: 7666c87941ce734f77d14814cf11b696a53842fb93967ccbd142ceb96ce3b2f1
                            • Opcode Fuzzy Hash: e6612b8a5bc1feb74c37682d9f3c12feafee9c9fc36f2c251eba3293167dd8da
                            • Instruction Fuzzy Hash: 5531A672E00215AFDF31DFA9C840AAFBBF8EF14750F11852BE516E7260D6709E019BA0
                            Function 015360B8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69c107dd6775c8ebc15906046b1b021dcd2edab79bdab6c7fa88441e1eaa0fe0
                            • Instruction ID: 69755d5bb987e738f5772c8ad90f02432f11c12a58b4077cb60420f01bd37fe7
                            • Opcode Fuzzy Hash: 69c107dd6775c8ebc15906046b1b021dcd2edab79bdab6c7fa88441e1eaa0fe0
                            • Instruction Fuzzy Hash: D031C271B00616BFDB22AF99C850A6EB7F9BF94754F10006DE505EF352DA70DE008BA0
                            Function 014707AF Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c416e0033acc782f6712dccb495912175bf8c7121f13f4a1941ba4473fc70671
                            • Instruction ID: 329bfd40ee33181f3e4a9fbd02098e6788a3c8e9b5a72fb9029965e0241b3a60
                            • Opcode Fuzzy Hash: c416e0033acc782f6712dccb495912175bf8c7121f13f4a1941ba4473fc70671
                            • Instruction Fuzzy Hash: C531E872A06712DBC712DE69C880AABBBA5AFA5650F02452FFD55A7330DB30DC0187D1
                            Function 01478550 Relevance: .1, Instructions: 94COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 07d38913e4ca043ee6ba20c1dc4058c033b7f89bbf4c1e1362138df7fc3954e7
                            • Instruction ID: cc6ee32f295a36163a8633f777f34042e9de49a4bf9d92dba595fa15be59d17c
                            • Opcode Fuzzy Hash: 07d38913e4ca043ee6ba20c1dc4058c033b7f89bbf4c1e1362138df7fc3954e7
                            • Instruction Fuzzy Hash: A2315EB16053028FE721CF19C844B5BBBE5FF98710F15496EEA8497361D7B1E844CB92
                            Function 014AA6C7 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction ID: ea772d7acea55aadd6c4ddbf63d831ce85ccbacaad0e6870c85b1ba0f1b7557a
                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction Fuzzy Hash: C3313EB6B01701AFD761CF6DCD40B57BBF8BB28650F55452EA59AC3760E630E900CB60
                            Function 0151EBD0 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c6442e1000a452e8d7a32e123490f676cfe5a1628652935de392fe43e0c34ff
                            • Instruction ID: c708c064bc3d6c7f9770af4ef63a29e4bba021187a0dfb761ae72ede9605514f
                            • Opcode Fuzzy Hash: 8c6442e1000a452e8d7a32e123490f676cfe5a1628652935de392fe43e0c34ff
                            • Instruction Fuzzy Hash: CD31ACB1505302CFC712EF19C94185ABBF5FF99618F0449AEE888AF255D730DA84CBD2
                            Function 0149438F Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbcdf119045460a87134a03564258eeff7b30d61a3bfabe953c84520e618a0cf
                            • Instruction ID: 7a9a8c5b4518dd20ac57a15b075b8b894a2306c078ca8a48453a8a8b1dda5678
                            • Opcode Fuzzy Hash: fbcdf119045460a87134a03564258eeff7b30d61a3bfabe953c84520e618a0cf
                            • Instruction Fuzzy Hash: C831BF32B002069FDB20EFB9CA80A6EBBF9EB94704F05853BD105D7664D730E946CB91
                            Function 0146CB7E Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                            • Instruction ID: 455231c575a07548b6b19e05a07da21a60e081871a2850115607be99b9ff56e6
                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                            • Instruction Fuzzy Hash: 95210936E0025AAADB119BB98850BAFBBB9AF54B44F15803B9E55E7360E270CD018791
                            Function 0146C156 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02a6f82ba5ee3e96164928196dd75420b22316f6d833a16e0120a7dfee4ba858
                            • Instruction ID: 63438e73ac0144cb8047c37f3fe55106e12a99d80c62abea36dd4a779a2b21f2
                            • Opcode Fuzzy Hash: 02a6f82ba5ee3e96164928196dd75420b22316f6d833a16e0120a7dfee4ba858
                            • Instruction Fuzzy Hash: 9A3129B59012018BD731AF68CC40BAA77B4BF50714F54817FD98A9F3A2DA74D986CBD0
                            Function 0152C3CD Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction ID: 731894b774ede86a3961da18a4ee46be6f10d45777de2b28d7235192871d8b02
                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                            • Instruction Fuzzy Hash: 44210E37A0066366DB15AB958800ABFBB74FFA1611F80841FF6558E5D2D635D940C3E0
                            Function 0146E420 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbe6a8bea122abddf77a4020533c512bd1d83f1ddcf4ee0d6ad5b631c4ae9653
                            • Instruction ID: e11cbdd9d838e66e2ae688886256615dc144a4c6e1de8f74fc9a5f6f4861ad15
                            • Opcode Fuzzy Hash: fbe6a8bea122abddf77a4020533c512bd1d83f1ddcf4ee0d6ad5b631c4ae9653
                            • Instruction Fuzzy Hash: 5231C436A001289BDB31DF29CC41BEE77BDAB25744F0101A7E645BB2A0D6749E818FA1
                            Function 014A4588 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction ID: e98c0f7b08657b6dc2eb13e430dd79af728f20dc06fc6275597e551467e7d4eb
                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction Fuzzy Hash: 6521D631A00605EFCB10CF59C980A9EBBB5FF68310F59806AEE199F250D6B4DE01CB50
                            Function 014A44B0 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: feed0f9632f2cddf9437fb5da815b740567cfd28300e5c911d58d1b0da2ff4de
                            • Instruction ID: 37d77268a071c47aa127298aa789e61d00a159198f0a4ef2b8062a106cb4b3b3
                            • Opcode Fuzzy Hash: feed0f9632f2cddf9437fb5da815b740567cfd28300e5c911d58d1b0da2ff4de
                            • Instruction Fuzzy Hash: C821E5726047459BCB22DF19C480B6F77E4FF9C760F4A491AFE949B251C770D9018BA2
                            Function 0146E388 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction ID: 3f906cc22a83bb728b3b0228f7b5b684c3c0b5856c5fd6a4ce7856ca14814281
                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                            • Instruction Fuzzy Hash: 6D31BC35600605EFE721CF68C884F6AB7F9FF85358F1044AAE5029B2A0E770EE02CB51
                            Function 014EE609 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e96691b5d44f5efade3fe4cf1ea834938e3f0e3a6acf2a8faaa8faf6a99f1bf
                            • Instruction ID: 9a177d6fd8fee0fcbf26213a797debd343a5ad9f4f0413977412b695dcc16f10
                            • Opcode Fuzzy Hash: 9e96691b5d44f5efade3fe4cf1ea834938e3f0e3a6acf2a8faaa8faf6a99f1bf
                            • Instruction Fuzzy Hash: 48319F75600205DFCB14CF2CC8889AEB7F5FF84704B55445AE80AAB3A1E731EA51CF94
                            Function 014F06F1 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d5b36b47671469079ffc5032a3cced14c76a2a9b0a824a31ee6b8e1f63764b1
                            • Instruction ID: cd3d30dae29f618394a533db421dba0245baef0141b6d679121ad11d6ed8e92c
                            • Opcode Fuzzy Hash: 9d5b36b47671469079ffc5032a3cced14c76a2a9b0a824a31ee6b8e1f63764b1
                            • Instruction Fuzzy Hash: 22218271A001299BCF11DF59C881ABEB7F5FF58740B55006AF541EB361D734AD42CBA1
                            Function 014F019F Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df3e0e5945489ecdcad2daab1ec430ed335686f9dd6f332bd374fc86b156bc45
                            • Instruction ID: 37cbd255e7ca77762114b37db54000a4277b16735985f54c51092ffe1f072558
                            • Opcode Fuzzy Hash: df3e0e5945489ecdcad2daab1ec430ed335686f9dd6f332bd374fc86b156bc45
                            • Instruction Fuzzy Hash: F8218B71600645ABD715DF6DC980A6AB7A8FF98740F14006EFA04DB7A1D734ED41CBA4
                            Function 014F0283 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08d150e2e3c8c9ac73a387e8295ce5851b0842c5e46f1eeaf2ee36a220daa730
                            • Instruction ID: 2684fa89507626b0f774676b19c704bca96c1abd5856143318609cfb5b80c650
                            • Opcode Fuzzy Hash: 08d150e2e3c8c9ac73a387e8295ce5851b0842c5e46f1eeaf2ee36a220daa730
                            • Instruction Fuzzy Hash: F821CF729042469BE721EF5AC948B6BBBDDEFE1644F08045FBE8087372D730D905C6A2
                            Function 01492835 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 87348ad6da378c0496d82e375c88ae5d80c2dcaf64062e1f8c0c8f58047c5be9
                            • Instruction ID: 763e68895f12124788daf4b9d7103e6c4cdd10ce5672ae5d2a0347e487b49ef2
                            • Opcode Fuzzy Hash: 87348ad6da378c0496d82e375c88ae5d80c2dcaf64062e1f8c0c8f58047c5be9
                            • Instruction Fuzzy Hash: 2721DA31605681ABFB22DB6D8C18F153FD5AB41B64F2803A6FA209F7F2D7B8D8038141
                            Function 014AA30B Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4afe11f57566ceb30c5dada845135fc9e68ddf14e7d2517a5c83d1bb2dae9385
                            • Instruction ID: 24d8df381ad9923e254df2429c660bcf9ebfcbf49e588045806ca9d5fb9cfbf5
                            • Opcode Fuzzy Hash: 4afe11f57566ceb30c5dada845135fc9e68ddf14e7d2517a5c83d1bb2dae9385
                            • Instruction Fuzzy Hash: 55217975200A019FC725DF2ACD01B56B7F5FF68B04F2584AEA509CBB62E371E846CB94
                            Function 0152A49A Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df58bb18ab9a726e7ad3882fe722524d22d4759d23f7f43d48431e0a2e72f50a
                            • Instruction ID: 32d2060ae80f0319f52275f1ea56513f60bdc1682fb5dacb7809ae2c46017723
                            • Opcode Fuzzy Hash: df58bb18ab9a726e7ad3882fe722524d22d4759d23f7f43d48431e0a2e72f50a
                            • Instruction Fuzzy Hash: A511E773340A227BE7225659AC41F6BB699ABE6B60F110429F708DF5D0DB70DC018795
                            Function 014F0946 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 26c43e1800241aea6b85da97b19d0dc7ad6e0bb328c9f701de77e3455f4b476e
                            • Instruction ID: a9358ed7947f5f78a53384e5713fb1702abe941465eb6efd936640c1f9ec53fb
                            • Opcode Fuzzy Hash: 26c43e1800241aea6b85da97b19d0dc7ad6e0bb328c9f701de77e3455f4b476e
                            • Instruction Fuzzy Hash: 5421E9B1E10209ABDB20DFAAD8809AEFBF9FF98710F10012FE515A7361D7709945CB94
                            Function 015080A8 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                            • Instruction ID: db9aa9d0aada71b53b57c4cbd9a8fcd0e22cca3f105a5f5e3ced3a3f781b82a8
                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                            • Instruction Fuzzy Hash: 68216D72A00209EFDB129F98CC40FAEBBB9FF98310F204819F940AB291D734D9518B50
                            Function 014A0124 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction ID: 9ee39a5f6cc21b8b9c965eff36dc784cd4295ebadce52d1b10b94674a05085cc
                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction Fuzzy Hash: 9411E272601605AFD7229F45CC40F9BBBB8EBA0754F11002AF6009F2A0D672ED45CB60
                            Function 01478770 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 378cea9d343e9656afe22483c3c5b12f1bf628a70fb82325289f7d6ec5ec0862
                            • Instruction ID: c5510c55ea984877831a3d644a565383c24019bf4f8e483bf753341a1c399ecf
                            • Opcode Fuzzy Hash: 378cea9d343e9656afe22483c3c5b12f1bf628a70fb82325289f7d6ec5ec0862
                            • Instruction Fuzzy Hash: 1C1104357006129BDB11CF5DC8C4A97FBE9AF4A710B18406EEE09DF321D6B2D902C790
                            Function 014AAAEE Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                            • Instruction ID: 5f4a018b93f788befa6e017845f4bf63318367dc4dab8958e5e8d0a56d77d502
                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                            • Instruction Fuzzy Hash: 8B218E72600641DFDB319F4AC540A66FBE6EBA4B10F66883EE64687730C730EC01CB40
                            Function 014780E9 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 83d9a8f74b935dd6adbe15b3d4d3e753c2fb6e1de2411fc0dec073c5393bdb42
                            • Instruction ID: b38d0c5e9253929684b7dce8a2934bc367338793f0fa568ba72013cedeb2a717
                            • Opcode Fuzzy Hash: 83d9a8f74b935dd6adbe15b3d4d3e753c2fb6e1de2411fc0dec073c5393bdb42
                            • Instruction Fuzzy Hash: E6218175A00206DFCB14CF59D581AAEBBF5FB88314F24416ED105AB365C771AD06CBD0
                            Function 014A674D Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b82fc07acd03e98bc048c927b3e3fcdb91322914edcabb601e8f1d5e1c9295fd
                            • Instruction ID: 760a67a25ad75774f7c0aa8020395d972d44f523255c693ff0e6400621ecbf87
                            • Opcode Fuzzy Hash: b82fc07acd03e98bc048c927b3e3fcdb91322914edcabb601e8f1d5e1c9295fd
                            • Instruction Fuzzy Hash: 8B219379511601EFD7209F69C840F66B7F8FF64250F86882EE59AC7260DB70A841CB60
                            Function 01506870 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c72b8e9b314035817a0ada77b19d125998031f4cadb782313663fbfd2702740
                            • Instruction ID: 47790f76de8a1cce8f0fb587a4c005985d594caefebd47e70bccf256cb943c09
                            • Opcode Fuzzy Hash: 5c72b8e9b314035817a0ada77b19d125998031f4cadb782313663fbfd2702740
                            • Instruction Fuzzy Hash: 28118F72240515AFD723DB9EC940F9A77E8BFA5A60F114429F205DF2A1DB70E911C7A0
                            Function 0149E8C0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b429c550d6f33fa1ae7ac3e1461936c5df43df23de25ef92aa94a8277f66237
                            • Instruction ID: 293152391e995c956ca49a21c4ec844c862d2b5dea35b0882d9aba31f7d0c2b4
                            • Opcode Fuzzy Hash: 0b429c550d6f33fa1ae7ac3e1461936c5df43df23de25ef92aa94a8277f66237
                            • Instruction Fuzzy Hash: 791108733001149BCF19DB29CC95A6F769AEFD5670B29493AD9239B3A0E9309803C390
                            Function 014A66B0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb9d5c530ff94f1ae2219aa65a76e66cdd7a903450c8d9d28fc32dcdb5524b3e
                            • Instruction ID: c22aa38f54b44f02144167b4f93f60df64c5115f6fb06f6bf026a8e0d30fe601
                            • Opcode Fuzzy Hash: eb9d5c530ff94f1ae2219aa65a76e66cdd7a903450c8d9d28fc32dcdb5524b3e
                            • Instruction Fuzzy Hash: 7211BC7AA11215DBCB25DF9DC580E5ABFE8ABA4610F4B407ED905AB331E634DD00CBA0
                            Function 0153A8E4 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                            • Instruction ID: 1332876bc1f50c1ee9e4d9370ae1a3c7b3722b37a690e41c40b8f8f8cc42ab97
                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                            • Instruction Fuzzy Hash: 3611B237A0091AAFDB19CB58C805A9DBBF5FFC4210F058269E895EB350E671ED51CB80
                            Function 01470AD0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                            • Instruction ID: 4d1ad59ddc9c8542d071e1ce7016998fa27bef0e4bf481e0db6f109cbdbb9b99
                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                            • Instruction Fuzzy Hash: B82106B5A01B059FD3A0CF29C480B56BBF4FB48B20F10492EE98AC7B50E371E914CB90
                            Function 014FE7E1 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                            • Instruction ID: 20ae217d32b289ee73e17e32d94485b6339c9e3e2190feccaf0842eca0a34b6c
                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                            • Instruction Fuzzy Hash: BF11A032600601EFE721AF49C840B5BBBA5EF55766F16842EEB09AB370DB31DC40DB90
                            Function 014927ED Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: adf6859c351b9775e5b83d617d940d8f73afaee1a987ca9028623216e369a8b4
                            • Instruction ID: 78e1a9c8eb3682163d109f8b0783e1b56111f6db29ab2a9367e3f7334253da3a
                            • Opcode Fuzzy Hash: adf6859c351b9775e5b83d617d940d8f73afaee1a987ca9028623216e369a8b4
                            • Instruction Fuzzy Hash: 6E010431305645ABEB26E66E9894F277A8DEF906A4F15006BF9008B371DA74DC02C2A1
                            Function 01474690 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a12163e8176c2ae35a4cc7f211fb1104b59e47e3201b8446081544718b3962f
                            • Instruction ID: 20ffd04af0f5f1f710d5ca0e4bbb91d5af6713915853c58b866fdfaf07c375e7
                            • Opcode Fuzzy Hash: 8a12163e8176c2ae35a4cc7f211fb1104b59e47e3201b8446081544718b3962f
                            • Instruction Fuzzy Hash: 2911A076240645AFDB25CF99D980BA6BBA4EB96B64F18451BF9148B770C370E840CF60
                            Function 01544B00 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 60e8993afc456672febd00a6d53ce6295ba422ec92a4611b5e1f875f01896109
                            • Instruction ID: 4d1255823b645ea593797bcbfc007c8ca3fb30623756d531e70fdf7c52a1f066
                            • Opcode Fuzzy Hash: 60e8993afc456672febd00a6d53ce6295ba422ec92a4611b5e1f875f01896109
                            • Instruction Fuzzy Hash: 2811C636240A119FDB22DA69D844F5BB7E5FFC4714F154519E6928B650DA30E802C790
                            Function 014A6620 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd8341d28f90661ca70408c0a18102dbb005bd500e340df14213f42ce6ae6e35
                            • Instruction ID: 8ea707cc5b1b001d3d6a33896ae4b80a6fa6af7bc166ea30879da2e8a558d817
                            • Opcode Fuzzy Hash: bd8341d28f90661ca70408c0a18102dbb005bd500e340df14213f42ce6ae6e35
                            • Instruction Fuzzy Hash: 0C11A572A00715ABDB21EF5AC980B5FFBB8FF64750F96045ADA05AB320D730ED418B90
                            Function 0149EA2E Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2eb333a173d693e92a15f43bc70300934c5c825c9b5e42df6654643c83b493a8
                            • Instruction ID: b1394096a5cf65dc37f55835b9c02c77f8ba5518e296ba8c8789838599d11ed7
                            • Opcode Fuzzy Hash: 2eb333a173d693e92a15f43bc70300934c5c825c9b5e42df6654643c83b493a8
                            • Instruction Fuzzy Hash: A5010C701601099FDB25DF1AD408E16BBF9FBA1358F21826FE0049B270EB70AC46CB90
                            Function 0149E53E Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction ID: 622c2f6c2205154f1589959e7ab7e47d7e69999cd8367fc9c0df492588b33580
                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction Fuzzy Hash: 1C11C2716016C29BEF32DB6C9964B263BD4AB40B58F1900E3DE4297772F738D847C251
                            Function 014FE75D Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                            • Instruction ID: c1a86e9574c8947ad826f46fe6b4ed67475ab4fe843d5d29605e2af1af81b509
                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                            • Instruction Fuzzy Hash: 82018032600105AFE7219B5ACC00F5BBAE9EB95752F16842FEB05AB370E775DD41C790
                            Function 0146A250 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction ID: d565310387f52ab9090d0e63a24ed2157dc9378731561223d861d87ec3472eb6
                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                            • Instruction Fuzzy Hash: 26012671444B229BCB318F1AD840A377BE8EF55764710852EFC96AB3A1C331D401CB61
                            Function 01544940 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db43f16d8e7fbee95f61b734e0069f5e63f69d6ac5cf815ed95fb96cbfedc9f1
                            • Instruction ID: da2b1ea259c535f0ba20614e7879322f8709959fca57c1c4a13df9738e7bb966
                            • Opcode Fuzzy Hash: db43f16d8e7fbee95f61b734e0069f5e63f69d6ac5cf815ed95fb96cbfedc9f1
                            • Instruction Fuzzy Hash: 710100774812419BC322AF1C9800F1AB7A8FB91778B254229E9A8AF1A2D730D801DBD0
                            Function 014EE1D0 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a313976049fa278777e806e0a54979899c8e4d23646143cd57c4fa8b2ef46786
                            • Instruction ID: e6b9767d690a409d42307f4c77170e2f77b95945179a41fb1916e271287911b7
                            • Opcode Fuzzy Hash: a313976049fa278777e806e0a54979899c8e4d23646143cd57c4fa8b2ef46786
                            • Instruction Fuzzy Hash: F111C032241241EFDB15EF1ACD90F56BBB8FF64B44F2004AAFA059B661C635ED01CAA0
                            Function 01476259 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36e4ad41e373de2ad885889be0ce45fba2689e45cb7ef11b20b32aefa6853792
                            • Instruction ID: 53d8d5013c7597275711c3d4263363c7702993b9126fda507c73b55c6e6fcfe0
                            • Opcode Fuzzy Hash: 36e4ad41e373de2ad885889be0ce45fba2689e45cb7ef11b20b32aefa6853792
                            • Instruction Fuzzy Hash: 24119E70501618ABEF65AF29CC81FE9B274AF14710F50419AA324A61F0DA70AE81CF94
                            Function 014F6050 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e03b829fc5bcf1293cfdb999483889ee15a2c549ff98eeb24afd730215dba3f
                            • Instruction ID: e7384c4a04f6e6b27feaff17bb0f7407c840c3fc3f733433ba63da3a79af2f85
                            • Opcode Fuzzy Hash: 5e03b829fc5bcf1293cfdb999483889ee15a2c549ff98eeb24afd730215dba3f
                            • Instruction Fuzzy Hash: 2E1129B3900019ABCB11DB95CC84DEFBB7CEF58254F054166E906E7221EA34EA15CBE0
                            Function 0147208A Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction ID: 1dc7ecdd774316f80bf0284eb21baab2da611c14492f88552f35ca9c91ca6d5c
                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction Fuzzy Hash: 6601F5766001419BEF269E59D880F9377A7BFD4600F5540ABEE018F366DAB1D882C3A0
                            Function 01506500 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7d16496a67c08d6d3d4fe0a06479727f91c88a94a6a7a5f4e4fda8bd6806b58
                            • Instruction ID: 2701deb87b4acd52c18f930271d9a1e07e87bbbc6d42c2eb8e6e6d0730c4b87a
                            • Opcode Fuzzy Hash: d7d16496a67c08d6d3d4fe0a06479727f91c88a94a6a7a5f4e4fda8bd6806b58
                            • Instruction Fuzzy Hash: 121108326401459FC302CF58D840BA5B7F5FB5A314F488159E844CF395D732EC44CBA0
                            Function 014FC810 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db5df0a3b4c26d60afd4794916e503d0d56db767e78d97391fb0e88d66c98a4b
                            • Instruction ID: 1c9f09b8aafd702d6f0cbef57df54f1c881a7cc821b3d01655e1be38918721f9
                            • Opcode Fuzzy Hash: db5df0a3b4c26d60afd4794916e503d0d56db767e78d97391fb0e88d66c98a4b
                            • Instruction Fuzzy Hash: 5211E8B1A002099BCB04DFAAD581AAEBBF8FF58750F14406AE905E7351D674EA018BA4
                            Function 0151EA60 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5af83c80246521551386b7fc824c84ace2b3c403626080d060453e92fd0edbc9
                            • Instruction ID: 9d774247091e5b96be4cbffbfb0bc723cc86fa50366a39376675078420437d02
                            • Opcode Fuzzy Hash: 5af83c80246521551386b7fc824c84ace2b3c403626080d060453e92fd0edbc9
                            • Instruction Fuzzy Hash: 3401B1321402119BD733BA1A8449D6EBBF9FF61650F05482EEA456F621CBB0DC81CBE1
                            Function 0146C020 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction ID: 187555cd2b3fed0f3ae4b0858a7794c647c702b6ed2a3046fbd0e5750199ea9d
                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction Fuzzy Hash: 68012D725007059FEB22DAAAC540F6777EDFFE5614F44442FA5868B660DA70E802C751
                            Function 014B20F0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cded4ec2b336077a163d56417689fda2a2231a6cf001d4438e536ab0cf45e21
                            • Instruction ID: a9a92591b19005afe3eccbc4a532b94d04cfd40d8368890fb092ffcb92f7bec3
                            • Opcode Fuzzy Hash: 7cded4ec2b336077a163d56417689fda2a2231a6cf001d4438e536ab0cf45e21
                            • Instruction Fuzzy Hash: FF116D35A0020DABDB15EF69C890EAE7BB5EF54740F10405AF9129B360D635EE11CBA0
                            Function 014AE5CF Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad396ea7ba26abf2e303425ebc6225ee5efae445b68cc48e83cf2d44cc9a78d6
                            • Instruction ID: d134f20a3ab84e1b87cd916934c113273f3c43c9954716c912dd67f740e62fc8
                            • Opcode Fuzzy Hash: ad396ea7ba26abf2e303425ebc6225ee5efae445b68cc48e83cf2d44cc9a78d6
                            • Instruction Fuzzy Hash: 260171B2241551BBD611BB7ACD44E5BBBECFBA4A54700062AB10597671DB74EC01C6E0
                            Function 015069C0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7827401a9390e299daf21c1d31029bbe7b76ca522836bbe44b847f8d8e85b1c5
                            • Instruction ID: 61bff489f52be6d4beed3efeb16d4a40c75b6c9b48d4db6940c50ea60c0c1338
                            • Opcode Fuzzy Hash: 7827401a9390e299daf21c1d31029bbe7b76ca522836bbe44b847f8d8e85b1c5
                            • Instruction Fuzzy Hash: 5501F032314202DBD321EF6EC4849ABBBE8FF54760F514529E9558F1D0D7309955C7D1
                            Function 014FC460 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dff8b0acc9598cc0788e0dc1a07d48dda70ee2c105f9496ec0561c63845d684e
                            • Instruction ID: 8b3c30cdd4f01cef8bd31f7b5acc0f1b344e8fe30cd416438ac2c123b1b2d5ec
                            • Opcode Fuzzy Hash: dff8b0acc9598cc0788e0dc1a07d48dda70ee2c105f9496ec0561c63845d684e
                            • Instruction Fuzzy Hash: 56116D71A0020DEBDB15EF69C880EAE7BB6FB58740F00406EFE1197360DA35E911CB90
                            Function 014FC97C Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 76293c41965e9a7ee10e2ed808c4fa55f1518f284d6e246e46f8b554945acee9
                            • Instruction ID: 4900b2997d2bea3ae524c561ff4f2ce16fb8b235ba59cc99a77b202e5fa838d3
                            • Opcode Fuzzy Hash: 76293c41965e9a7ee10e2ed808c4fa55f1518f284d6e246e46f8b554945acee9
                            • Instruction Fuzzy Hash: A1112AB16143099FC710DF6AD48199BBBE4AF98710F00451FBA98D7361D630E901CBA6
                            Function 014FCA11 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8932008b28a49f39dfd60eaa4c5c39c50baf02df497f283b2aee36eb93e2436
                            • Instruction ID: 91ba243e6b77abea3b9d876659e6e5807c5b39362e4f0082ec87f81750fa9402
                            • Opcode Fuzzy Hash: f8932008b28a49f39dfd60eaa4c5c39c50baf02df497f283b2aee36eb93e2436
                            • Instruction Fuzzy Hash: 01115AB16043099FC310DF6AC481A4BBBE4AF99750F00451FB958D7360E630E9018BA2
                            Function 0148E016 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction ID: 834534b434f59c1da294aa1a9c51d49b2d9dad898773a4b9d34e1e5d7eb201a5
                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction Fuzzy Hash: 740171712005809FE322DA1DC948F2B7BD8EB46B58F0904ABF905DB7B2D778DC42C621
                            Function 0146826B Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 519af38f3de58e6fe648c380106b5c8b957053926151ea887a93e0b7d6857670
                            • Instruction ID: 685e67f5741eae81742b29b7c436edf4b39cdcfbce7d923c5316fe77d137ac9c
                            • Opcode Fuzzy Hash: 519af38f3de58e6fe648c380106b5c8b957053926151ea887a93e0b7d6857670
                            • Instruction Fuzzy Hash: C601847170060ADBD714DB6AD8049AB77ADFFA0A14B15402FDA019B760DE30D902C691
                            Function 0151EB50 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 1f9406e7341c8f6bfbd54b0dd13f30dfda709634de0afb722e9cb10145f2788a
                            • Instruction ID: f85844315571ee5b8a4e67eaf406eef8893c39b4b99974356f24acd6e1a84638
                            • Opcode Fuzzy Hash: 1f9406e7341c8f6bfbd54b0dd13f30dfda709634de0afb722e9cb10145f2788a
                            • Instruction Fuzzy Hash: DE01A7712407019FE3325B1AD841F16BAE8FF65B50F01482EF6069F3A4DAB49841DBA4
                            Function 01472582 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c718f8fe72b77ae70ab5c31c1ebceb43fb63d9f46733cc493b4d2e4495f5ab1
                            • Instruction ID: c022f8fe62e450d9cc4b16c0336c5ec7cf3dc63d403e2ce4c6f95fb57af53199
                            • Opcode Fuzzy Hash: 8c718f8fe72b77ae70ab5c31c1ebceb43fb63d9f46733cc493b4d2e4495f5ab1
                            • Instruction Fuzzy Hash: F2F0F933641621B7C7319F578C40F577AA9EB94E90F00402EE60597660C670ED01C6A0
                            Function 0149C073 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction ID: 9fe08424638a8f792565fb6688f6b29e261eb761f393978bfc0e5e66bdd8586f
                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction Fuzzy Hash: 64F0C8F2600611ABD324CF4DDC40E57FBEADBD1A90F048129A505C7320E631DD04CB50
                            Function 0154634F Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27cbe447f714c0a7dc005c5661b48eac4d6b4deaafafd6cf8741eb857270efe8
                            • Instruction ID: 2e742823d9ad3c36385b8bf41038e5f8420d9f1312c6f71d55cb9d0b1633be27
                            • Opcode Fuzzy Hash: 27cbe447f714c0a7dc005c5661b48eac4d6b4deaafafd6cf8741eb857270efe8
                            • Instruction Fuzzy Hash: 89018F71A10249EFDB00DFAAE440AAEB7F8FF58704F10402AF900EB350D734EA018BA0
                            Function 0146C310 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction ID: ee76942999880c6cb81a789144c705a52d1fade5baa64ed2f32517df91903f8f
                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction Fuzzy Hash: E5F0FC732046239BD7321B9A48C0B2FB59D8FE1A6CF19403BE2459B264C9708D4256D2
                            Function 0154625D Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5432a23834e72e7edd6c3dcafdd7987e8ddc47875584ba383e4fb3455124ace8
                            • Instruction ID: 5863bfd7add3fcb9e977d434d8afa9b5d5ef95dad3e38af1e5385129ae55ce0b
                            • Opcode Fuzzy Hash: 5432a23834e72e7edd6c3dcafdd7987e8ddc47875584ba383e4fb3455124ace8
                            • Instruction Fuzzy Hash: 6E014471A10209EFDB04DFA9D451AAEB7F8FF58704F10406AF915EB351D674E901CBA4
                            Function 015462D6 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f6149d86a88ca3d66ddec3632735c0de86bebd354603979ae505604d3856119c
                            • Instruction ID: d7492bb90c87536cb7c17a6b3c2b2fb78c43dcadfb66d5b5319951884b1a23ea
                            • Opcode Fuzzy Hash: f6149d86a88ca3d66ddec3632735c0de86bebd354603979ae505604d3856119c
                            • Instruction Fuzzy Hash: 08014471A00249EFDB04DFA9D441A9EB7F8FF58704F50406AF915EB391D674ED018BA4
                            Function 014ACA6F Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                            • Instruction ID: e495b94da43fb2eca2026cd549317fcc84e218ea7a82bc73b75db53475b9e257
                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                            • Instruction Fuzzy Hash: 2401F9322006869BEB32DB5DC849F6ABBD8EF61750F09407BFA048B7B1E774D801C211
                            Function 015461E5 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 004ee939d7caf86436dda05a552d5c36d77e77c814ce0381b1bdb801c007750b
                            • Instruction ID: cf96c3d58cc17e13e5a0828dbf82835dfde268549ab110903bdf54349cc330d2
                            • Opcode Fuzzy Hash: 004ee939d7caf86436dda05a552d5c36d77e77c814ce0381b1bdb801c007750b
                            • Instruction Fuzzy Hash: FF018F71A00249EBDB00DFAAD441AEEBBF8BF58714F14005AE501EB290D734EA01CBA4
                            Function 014F63C0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction ID: eec93ff910c78590a3e7fabe9694328cee5268fd425dc64c459862c6fd553843
                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                            • Instruction Fuzzy Hash: 69F01D7220001DBFEF02AF95DD80DAF7B7EEB69698B114129FA1192170D631DD21ABA0
                            Function 014FA4B0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21564ca0c942d5a1d3199776833f507c28b3b41e1917623b5df63162485d3741
                            • Instruction ID: 87c43a4db012a166936a653cbfde2bee3f9fd0cd982cda121b09917319dd3da9
                            • Opcode Fuzzy Hash: 21564ca0c942d5a1d3199776833f507c28b3b41e1917623b5df63162485d3741
                            • Instruction Fuzzy Hash: E3018936110109ABCF129F84D844EDE3FA6FB4C654F16811AFE1866220C732D971EB81
                            Function 0146C0F0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cd2204e81c0afcb37c6cf84458c76fd1cf5c0cd084c9f5a4f5c8f9c84149259
                            • Instruction ID: df99bf1a04e52139453b879488e786a32daac4bb1f3fae6776d5e95d628b3229
                            • Opcode Fuzzy Hash: 7cd2204e81c0afcb37c6cf84458c76fd1cf5c0cd084c9f5a4f5c8f9c84149259
                            • Instruction Fuzzy Hash: 9FF02B712042419BF31095198C41FA3369DE7D0659F25802BE7498F7F1EB70DC428BD5
                            Function 014A656A Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0359e875379ef9171dbbe8d0b4ef13cdc8462f9a5551954909260f5c0d75eb32
                            • Instruction ID: 5e03c7ea8e78d9fa4d8397bfcd77c27d9b6ab0a90d4dfffcbd15f9d4adae8e0b
                            • Opcode Fuzzy Hash: 0359e875379ef9171dbbe8d0b4ef13cdc8462f9a5551954909260f5c0d75eb32
                            • Instruction Fuzzy Hash: 5A0181702406819BF7229F2CDD48B2A37E4AB60B44F8E0596FA51CBBF6D778D4028610
                            Function 0151437C Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction ID: 666b6d1740cdd4a920da7c18d87c3a89c240be73d0338f10b7f649a91d308e8d
                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                            • Instruction Fuzzy Hash: 17F0E93534191347FB37AB2E8420B2EAA95BFA0B10B25292E9605CF694DF20D8808780
                            Function 014FE872 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                            • Instruction ID: 89e5ebbc7c8e123730c948fdecafa9313a737a4424b6c0e6148aafedcb3b4445
                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                            • Instruction Fuzzy Hash: 47F054737115119BD321AE4ECC80F17B769AFD5A61F1A006EA704AB370C770EC4287D0
                            Function 014FC89D Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36950168525c2dbe0c9c5dff00abb791915868e354cb545abcc3ca6da038e26d
                            • Instruction ID: e90ff195d34e36ae8aaf2fc286080d8cb15d1feee9d5c3db865e1be025696ad6
                            • Opcode Fuzzy Hash: 36950168525c2dbe0c9c5dff00abb791915868e354cb545abcc3ca6da038e26d
                            • Instruction Fuzzy Hash: E6F08C706053089FC314EF69C481A1AB7E4EFA8710F40465EB998DB3A4E634E901C796
                            Function 014A0854 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                            • Instruction ID: 844d38892f4d309a09528ed29e564846ee55acb14327ee10bd08482d74086c29
                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                            • Instruction Fuzzy Hash: 3AF0B472610204AFE714DF26CC01F56B6E9EFB8354F56807DA545D72B0FAB0ED01C658
                            Function 014FC912 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d5a428627219c35d36b9b090c8b079d66fd543f5566027afddb10ee7a3d305a
                            • Instruction ID: f9fea12668ab89950e2ffe3a74f9e1ce48c67e727e0d57d4692eb9e2849277ca
                            • Opcode Fuzzy Hash: 0d5a428627219c35d36b9b090c8b079d66fd543f5566027afddb10ee7a3d305a
                            • Instruction Fuzzy Hash: 03F04470A0124DDFDB14EF69C555E9EB7F4EF14700F00405AA955EB395D634EA01CB54
                            Function 014747FB Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52421cb6eab697f1f566cae2bbbf139c544e4e157dece8744d5c78d05aa2a9cd
                            • Instruction ID: 34752382e8244905797ccc37999a85998834c2fa4b6f9ae1ac6766d497a645da
                            • Opcode Fuzzy Hash: 52421cb6eab697f1f566cae2bbbf139c544e4e157dece8744d5c78d05aa2a9cd
                            • Instruction Fuzzy Hash: 21F024399022D98FE732CB1CC004BB7BBC49B02B20F0E986BC54987632C330D880C640
                            Function 01530115 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e06e25a7cd953ca78d25ae5cf5227f7f4e33137f41a8fb745c7defd4d3078f40
                            • Instruction ID: 990a8d28541e7baa9738a53e2db789427e4e5f43642737abd4911c3a887a008d
                            • Opcode Fuzzy Hash: e06e25a7cd953ca78d25ae5cf5227f7f4e33137f41a8fb745c7defd4d3078f40
                            • Instruction Fuzzy Hash: CEF027374197D216DF325B2C7C902E92B64B7C3410F0A1445DCB1AF299C6748887D3A0
                            Function 014AC5ED Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12b794a56ad8d8297c5f10e55e3901cefb73d7187589b72d9331d0a563c25f7e
                            • Instruction ID: 7282d6ab8c3987e5a957cfc4841c2e2253f1428530589444eded1168308633a8
                            • Opcode Fuzzy Hash: 12b794a56ad8d8297c5f10e55e3901cefb73d7187589b72d9331d0a563c25f7e
                            • Instruction Fuzzy Hash: DEF0E2715126919FE3B2D71CC1C8B927BD4AB64BA4F8A9427D40E87732C770F882CA91
                            Function 014B2619 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction ID: e068216713ddde09b0af5b5307b4aebcc55cf1c3f9dca1de25bfd78acc4fc8d9
                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction Fuzzy Hash: FDE092723006012BE712AE5ACCC0F97776E9FA2B10F04007EB6045E2A1CAF29D0982B4
                            Function 01506030 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                            • Instruction ID: 4cadde818dea9b7cad73b4824a9ac0c8c92582fb6d0437cf04ce003e80cd2548
                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                            • Instruction Fuzzy Hash: CBF0A0721402049FE322CF4AD944F56B7F8FB15364F01C02AE6088F1A0D33AEC50CBA0
                            Function 01470710 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction ID: a942ce1b7140437df82b877403f5c311d9a6a43800711646c0d336e581062486
                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction Fuzzy Hash: A9F0E53E2053819BEB16DF19D040AE5BFE4FB56750F00006AF8428B361E731E982CB50
                            Function 014A49D0 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                            • Instruction ID: 4d69f13c748352713e9c6954e2f75da56f18cbaef797caee445d40327f155f7a
                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                            • Instruction Fuzzy Hash: C2E09232244145ABE3212A598810B6E76A59BF07A0F9F042AE2019B260DBB0DC41C798
                            Function 01544164 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a88379f61a7408035e4b7e52e2c1303273b55d5dcd32736bbf58bb895c5cced5
                            • Instruction ID: c2dfde97a13a5b2932b4e7fc88209153bffad2b10ee60c7a6d7b421a71fc027c
                            • Opcode Fuzzy Hash: a88379f61a7408035e4b7e52e2c1303273b55d5dcd32736bbf58bb895c5cced5
                            • Instruction Fuzzy Hash: 36F02B31AA56914FE772D72CD140F5D77E0BF10A38F1A2556D4008F912C330EC80C650
                            Function 0151678E Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                            • Instruction ID: 34b21089bad694f6f8ee5dfd23e6afcc309af4dc0e1e2e0d50b7f765d0eccbcb
                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                            • Instruction Fuzzy Hash: 01E0D832601110BBEB2297598D01F9E7EACEB60EA0F050055B600EB0E4D570DE00C6D0
                            Function 015408C0 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                            • Instruction ID: ff381e3acfa3632469c588306cda3651cd38cd6716e2c6e66b67be52c1339bea
                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                            • Instruction Fuzzy Hash: 58E09B316407548BDB258A2DC240AD7B7E8FFD5668F358069EE094B657C231F842C6D0
                            Function 014725E0 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4c0015ec13af52a9b7039db8e9f29f838e18286cdca9533302593801021e1d54
                            • Instruction ID: 231252b0d9c6a0f159a0ca5342a53bb7bceebfae99f495b95b3df0d6b99b4e33
                            • Opcode Fuzzy Hash: 4c0015ec13af52a9b7039db8e9f29f838e18286cdca9533302593801021e1d54
                            • Instruction Fuzzy Hash: 7AE092721005549BC722BF2ADD01FDA779AEB70760F01451AF115571B0CA70AD50C7D4
                            Function 0152A456 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                            • Instruction ID: a9b419fa1c73522454d1908ba86912fb83218a910218b8097b545c54bfea6380
                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                            • Instruction Fuzzy Hash: 74E0ED32011661DFEB366F2BD948B56BAE1BFA1711F15882EE196168F0C7B5D8C1CA80
                            Function 014F4000 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction ID: 552e1d9cfd978258528ac0fbe6b7547fddc6be41a789de79dbd29502c5214b5c
                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                            • Instruction Fuzzy Hash: 78E0AE743002058FE715CF19C040B637BA6BFD5A10F28C069AA488F305EB32A8428A40
                            Function 014ACA38 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e0672621267fe55c4896eb7b7a4a760ad26427b20ac84959571bbfc73e82b6a
                            • Instruction ID: 5e594843807a569244050d4db6f1bcf1172f971d36fbabe7361dafc8eb408c75
                            • Opcode Fuzzy Hash: 3e0672621267fe55c4896eb7b7a4a760ad26427b20ac84959571bbfc73e82b6a
                            • Instruction Fuzzy Hash: 51D02B324850206ECFB5F219BC54FB73A9D9B74620F034873F10897030D534CC8192C4
                            Function 0146823B Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction ID: fb72cb6e83dd29fde38d9ec84ff031a56f397557d484d8aa2867ecfdd891266b
                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                            • Instruction Fuzzy Hash: 38E08C32544B12EFDB322F16DC00F9277A9FB68B54F10482FE081160B48AB0A882CA55
                            Function 01472050 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d17c05e072ed56f8163ddc9a2c7d4ed0f5d584667a4962e4ae015a38ffb235d4
                            • Instruction ID: 4aa95757394e652266467ea4426501651e0f7d66eb88752d2a9e86e8f7bbb980
                            • Opcode Fuzzy Hash: d17c05e072ed56f8163ddc9a2c7d4ed0f5d584667a4962e4ae015a38ffb235d4
                            • Instruction Fuzzy Hash: C5E08C721004506BC311FE6EED00E9A739AEBB4660F05422AF1558B2A0CA70AC40C794
                            Function 014AE59C Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction ID: 456f4893105180f9fe565416c47a75086344cf511ad29baad007e85d5cc1a39c
                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction Fuzzy Hash: AFD0A7335045105BD732AA1DFC04FC333D9BB58721F05045AB004C7160C370EC81C644
                            Function 014EE908 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                            • Instruction ID: d9cfe2993c5102737718e8f3f801dd6f9a8a673bbe4565f734eb12f6af6c7c6a
                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                            • Instruction Fuzzy Hash: 03E0EC769506849BDF12EF5AD644F5EBBF9BB94B40F150059A1086B771C634E900CB40
                            Function 0146A0E3 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction ID: 1587e16b362ff6b27e371a67ab847720c956b0a625d140582820acd601e88115
                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction Fuzzy Hash: 1BD0223321243093CB286A566800FA77909AB80A98F2A002E780AA3920C4248C83C2E0
                            Function 014AA830 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                            • Instruction ID: 535b1fa528582c059369c638103e51f61e646b96712abec006e4278b0e3b03b0
                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                            • Instruction Fuzzy Hash: 99D012771D054DBBCB11AF66DC01F957BA9E764BA0F444021B504875A0C63AE990D584
                            Function 014ACA24 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9d684c4cb71e6b69555518c001f1e28b658ef9da4f8e03e0f38db72ae3b1eb7
                            • Instruction ID: 8bc108f18d7ec7959214c0fee60dab30a83aa2818ab8cabbdcacc580fa04ff2a
                            • Opcode Fuzzy Hash: a9d684c4cb71e6b69555518c001f1e28b658ef9da4f8e03e0f38db72ae3b1eb7
                            • Instruction Fuzzy Hash: 67D0A735501412CBDF16DF09C568E7F36B0FB20641B81017EE70152230E334DC01C680
                            Function 014802A0 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction ID: 4c8b903bbbbbf5c90a0c2adfc645630dc7224ca0decee9a8ddae9c5ff8b2d627
                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                            • Instruction Fuzzy Hash: 2FD09235222A80CFDB1A8B0CC5A4B1A33A4BB44A44F850491E401CBB72D678D984CA00
                            Function 014AC700 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction ID: 152079742ae94b7e665074b5c8b9d40b48ca06edd8dba778ede82dd78114d4f5
                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction Fuzzy Hash: DFC01233290648AFC712AE9ACD01F067BA9EBA8B40F000022F2048B670C631E860EA84
                            Function 01490310 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction ID: 523bdf72699c6140fec0cdb3f384e292fbb654e24b18605bda106206f2b24fc9
                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction Fuzzy Hash: 2ED01236100248EFCB11DF41C890D9A7B2EFBD8710F508019FD19076108A31ED62DA50
                            Function 01470750 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction ID: e0ad2aaaf0b2fbbdb1cb411b5f3391c658cbb5b7dc99e83d56ceacbb4ad681ed
                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction Fuzzy Hash: B3C00179601A428BDF16EE2AD294A5A7BE4BB54B40F160895E8059BB22E724E802CA10
                            Function 014B4340 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03b3bb3f00d759b5f804db8bdd1fe0261b91d385e99e5240bf1ff3877a32ddc8
                            • Instruction ID: 56cd2e861c80f570c329457cbf67a4b8cbb7dbd70c6dd7d83495843e6a2e70f7
                            • Opcode Fuzzy Hash: 03b3bb3f00d759b5f804db8bdd1fe0261b91d385e99e5240bf1ff3877a32ddc8
                            • Instruction Fuzzy Hash: 9C900235605801129180715D48845464005A7F0701B55C016E0424555CCB268A565361
                            Function 014B4650 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 25eec98055ee190941b751fce7f78bb7bc937876283cb0b77edb871c59bd6b00
                            • Instruction ID: c476ec2fbb874b1cc6407d0114ce473179ef309d01fb5412c9f20513e640780a
                            • Opcode Fuzzy Hash: 25eec98055ee190941b751fce7f78bb7bc937876283cb0b77edb871c59bd6b00
                            • Instruction Fuzzy Hash: A1900265601501424180715D48044066005A7F1701395C11AA0554561CC72A89559369
                            Function 014B2BE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 054ad51a384c565ed6ed3bbebf2bc15088b9b85669d3f83b161956d9883731e8
                            • Instruction ID: ba5642db73d6b99fbe79e602dd3d99b8a1338f6b83be27592b1d84b3c0465a1b
                            • Opcode Fuzzy Hash: 054ad51a384c565ed6ed3bbebf2bc15088b9b85669d3f83b161956d9883731e8
                            • Instruction Fuzzy Hash: 6090023520544942D180715D4404A46001597E0705F55C016A0064695DD7378E55B761
                            Function 014B2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed24a2039b4eab8132a5eaf1673f1cd7626a582c14a71d988eb92369cfb4faae
                            • Instruction ID: 847076136b7729282f2ffa08c71537ed1b653ca7d9e05842c85cd6bec0240633
                            • Opcode Fuzzy Hash: ed24a2039b4eab8132a5eaf1673f1cd7626a582c14a71d988eb92369cfb4faae
                            • Instruction Fuzzy Hash: 7490023520140902D1C0715D440464A000597E1701F95C01AA0025655DCB278B5977A1
                            Function 014B2B80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0537ff0d7b89799ec0aeb308952caead9240d4d971885c7281a92261aaa0cd4e
                            • Instruction ID: 94a6159d841187536fe0c29985825b249cc0a1e5f72b9f1ff5109182f3c8e1cb
                            • Opcode Fuzzy Hash: 0537ff0d7b89799ec0aeb308952caead9240d4d971885c7281a92261aaa0cd4e
                            • Instruction Fuzzy Hash: 3B90023520140902D144715D4804686000597E0701F55C016A6024656ED77789917231
                            Function 014B2BA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc139119e464e8bf3c0fa17d1e2cc20f5657b7382e2b201568205a33fedfd7d2
                            • Instruction ID: 3f3c4451c85150bdd506eb3f58ddee6a8abe6e1581fba6e05173734668866fa7
                            • Opcode Fuzzy Hash: bc139119e464e8bf3c0fa17d1e2cc20f5657b7382e2b201568205a33fedfd7d2
                            • Instruction Fuzzy Hash: E190023560540902D190715D4414746000597E0701F55C016A0024655DC7678B5577A1
                            Function 014B2AD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94bcb460be411d6cd7b8e5fc8ad4a94d560a4fed4fb3572152c570c5049e4488
                            • Instruction ID: d871e5684d802fd97ce1d006756c9aaeca54f9b954334dd03c7ab4da24ef21a3
                            • Opcode Fuzzy Hash: 94bcb460be411d6cd7b8e5fc8ad4a94d560a4fed4fb3572152c570c5049e4488
                            • Instruction Fuzzy Hash: 9690043D311401030145F55D07045070047D7F5751355C037F1015551CD733CD715331
                            Function 014B2AF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5693e2a094012c44ac4076eeb52575d055913168ccacad4c3f90a66f64c83670
                            • Instruction ID: 5099c0ddbe75eab0185521514aa45f1803fb1e7b6f9e50dd1d14975195b31d57
                            • Opcode Fuzzy Hash: 5693e2a094012c44ac4076eeb52575d055913168ccacad4c3f90a66f64c83670
                            • Instruction Fuzzy Hash: 3F900229221401020185B55D060450B0445A7E6751395C01AF1416591CC73389655321
                            Function 014B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 002e33f5b716c40195538c6cba43b29257a9be2b81da9df2c45c46cc7c04c3c9
                            • Instruction ID: ad0b71896096b1f2c01dd86fa0cbdf4c79388e8828a78bd2c48298c57e1be10f
                            • Opcode Fuzzy Hash: 002e33f5b716c40195538c6cba43b29257a9be2b81da9df2c45c46cc7c04c3c9
                            • Instruction Fuzzy Hash: 0D9002A5201541924540B25D8404B0A450597F0601B55C01BE1054561CC63789519235
                            Function 014B2D00 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e630e4697323b7bb4ce659ba74aa8ac378ffad570172539983a29788be8a5019
                            • Instruction ID: bf4fb62066a53566e95a398177bb8c72816d422744f75f40a557152cf9fddc59
                            • Opcode Fuzzy Hash: e630e4697323b7bb4ce659ba74aa8ac378ffad570172539983a29788be8a5019
                            • Instruction Fuzzy Hash: 8D90022520544542D140755D5408A06000597E0605F55D016A1064596DC7378951A231
                            Function 014B2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a7cfbdb8b741a4cb40b50a2a796412f5697c461ad54319f72802dc601c493f4
                            • Instruction ID: 32b8a003fb619961cb25cadf56b861d4e6ca7c8d6fc0bbf3ad764364b301124f
                            • Opcode Fuzzy Hash: 4a7cfbdb8b741a4cb40b50a2a796412f5697c461ad54319f72802dc601c493f4
                            • Instruction Fuzzy Hash: C090022D21340102D1C0715D540860A000597E1602F95D41AA0015559CCA2789695321
                            Function 014B2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae24980237fbd39f17b734e40c78dfb7b91936679d2b00c48d00d6ae0436e7f0
                            • Instruction ID: 16f98e2dd7696c904b7693efd657a8a600de56f8942505e1db3fcb8e825fd93b
                            • Opcode Fuzzy Hash: ae24980237fbd39f17b734e40c78dfb7b91936679d2b00c48d00d6ae0436e7f0
                            • Instruction Fuzzy Hash: 4590022530140103D180715D54186064005E7F1701F55D016E0414555CDA2789565322
                            Function 014B2DD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d46f3de31dd19b35836816e9b1625e6a6061d803d916b06af9b55f2243278d7e
                            • Instruction ID: 661a2833be3ec7fa3be0ace09b76da4042cb08f3b76bcce06ebe7f55df14155c
                            • Opcode Fuzzy Hash: d46f3de31dd19b35836816e9b1625e6a6061d803d916b06af9b55f2243278d7e
                            • Instruction Fuzzy Hash: 05900225242442525585B15D44045074006A7F0641795C017A1414951CC6379956D721
                            Function 014B2DB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e45e6044ac884c746424e4324d1b1e687d53ff4c594470f95721b424acd8ea1c
                            • Instruction ID: 0a68abab06750befbeabd12af98bdaf63cbebdbe56ee8cb86edee6ac9e6c82b4
                            • Opcode Fuzzy Hash: e45e6044ac884c746424e4324d1b1e687d53ff4c594470f95721b424acd8ea1c
                            • Instruction Fuzzy Hash: 1D90023524140502D181715D44046060009A7E0641F95C017A0424555EC7678B56AB61
                            Function 014B2C60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab3cd3fb54cb76d48921c7dc485de6bfca86bce5c9ca854c50573748647ca8b6
                            • Instruction ID: b6d1053dea12355a26a9ab0fd8f3b699538a20930bd94240206a70b63400dc24
                            • Opcode Fuzzy Hash: ab3cd3fb54cb76d48921c7dc485de6bfca86bce5c9ca854c50573748647ca8b6
                            • Instruction Fuzzy Hash: 3190023520140942D140715D4404B46000597F0701F55C01BA0124655DC727C9517621
                            Function 014B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe6f1c32ea327033d119a88219820cecd2f330441e3d267a359a692428c35dec
                            • Instruction ID: 762ea6852d71e3134eaf7276f334527adb26b7e720f7bc16345c8babc541cae7
                            • Opcode Fuzzy Hash: fe6f1c32ea327033d119a88219820cecd2f330441e3d267a359a692428c35dec
                            • Instruction Fuzzy Hash: C390022560540502D180715D5418706001597E0601F55D016A0024555DC76B8B5567A1
                            Function 014B2CF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53a18a3ade40c9a38199550f10f1515c6b25fda52b50acfdf47e3ea84ab6396d
                            • Instruction ID: b6c70555702ec9f3e9b731244407e23e5d8bc9c3af2713bf75b9f19fa0e1b955
                            • Opcode Fuzzy Hash: 53a18a3ade40c9a38199550f10f1515c6b25fda52b50acfdf47e3ea84ab6396d
                            • Instruction Fuzzy Hash: 9C90043530140503D140715D550C7070005D7F0701F55D417F043455DDD777CD517331
                            Function 014B2CA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81a95847905999e2a03e48d6091e2a8b484a05bab03889d55f7d3507d4559df2
                            • Instruction ID: 75d4557bdedc0108a8cb927023f75cb65ebda50bb6ce708836cc0df0cd6008bc
                            • Opcode Fuzzy Hash: 81a95847905999e2a03e48d6091e2a8b484a05bab03889d55f7d3507d4559df2
                            • Instruction Fuzzy Hash: A990023520140502D140759D5408646000597F0701F55D016A5024556EC77789916231
                            Function 014B2F60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e101982556e560c6d16b2feead067ad0b136dbad1dcf01cc75f880f599b8161b
                            • Instruction ID: 5a1aca0eb9628fc85141493fa17b4f25d1ffcc59b77c14ba5c73b44795bb4ee0
                            • Opcode Fuzzy Hash: e101982556e560c6d16b2feead067ad0b136dbad1dcf01cc75f880f599b8161b
                            • Instruction Fuzzy Hash: D990047531140143D144715D44047070045D7F1701F55C017F3154555CC73FCD715335
                            Function 014B2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89ac9704ea2b052cde1f2b4082f44044f5c49595ebfbf9768da05d7cbca50827
                            • Instruction ID: bdb9771bf96b6acab63452abda5aaf4db5e7755bbc803a7980af915c69e51861
                            • Opcode Fuzzy Hash: 89ac9704ea2b052cde1f2b4082f44044f5c49595ebfbf9768da05d7cbca50827
                            • Instruction Fuzzy Hash: BA90026534140542D140715D4414B060005D7F1701F55C01AE1064555DC72BCD526226
                            Function 014B2FE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d46b13129e73edf234f48eed962d0a0be9c111b5b6ada18c3660d1c2ffda521
                            • Instruction ID: 69bcbf8906785efb0bc7dfa3a66289dcbb33d9bbf1760bebf2e12103943b1983
                            • Opcode Fuzzy Hash: 6d46b13129e73edf234f48eed962d0a0be9c111b5b6ada18c3660d1c2ffda521
                            • Instruction Fuzzy Hash: 6A900225211C0142D240756D4C14B07000597E0703F55C11AA0154555CCA2789615621
                            Function 014B2F90 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 785d9bdb500e26ca53455d85e78f8dcf595e0a701496f9bc07a54ac07f6fb0af
                            • Instruction ID: a530766adbef42901cef129cbeb8054692540d52fc6f74fe9d8563faff6f840d
                            • Opcode Fuzzy Hash: 785d9bdb500e26ca53455d85e78f8dcf595e0a701496f9bc07a54ac07f6fb0af
                            • Instruction Fuzzy Hash: 7E90023520180502D140715D481470B000597E0702F55C016A1164556DC73789516671
                            Function 014B2FA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 025cf284e135e7fb2e60bab7ce2581f2198f9d32c7ec38243da5254d4f5d4f11
                            • Instruction ID: 3ce34af493af6e53d63a377a913f8216980bcb2ccde43fe144d1129d9c40e73d
                            • Opcode Fuzzy Hash: 025cf284e135e7fb2e60bab7ce2581f2198f9d32c7ec38243da5254d4f5d4f11
                            • Instruction Fuzzy Hash: 1890023520180502D140715D4808747000597E0702F55C016A5164556EC777C9916631
                            Function 014B2FB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 87f8c33280da7d151c3a702eedb1255c7a06f8d63d47d8fe57b562b4c3ff3b2c
                            • Instruction ID: f813ba68b97500889d91a6140a3340404ae7b6937a01a29d83001bb4f48ff39f
                            • Opcode Fuzzy Hash: 87f8c33280da7d151c3a702eedb1255c7a06f8d63d47d8fe57b562b4c3ff3b2c
                            • Instruction Fuzzy Hash: 5C900225601401424180716D88449064005BBF1611755C126A0998551DC66B89655765
                            Function 014B2E30 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52e51778557357062345f65b5ec015c4a349c0c83fed0dbe1471cbe5baabd75f
                            • Instruction ID: e1688bad055d7f14cfeb4319ef03bfedcb4ba764e9b9445c628f4fbcca4beefa
                            • Opcode Fuzzy Hash: 52e51778557357062345f65b5ec015c4a349c0c83fed0dbe1471cbe5baabd75f
                            • Instruction Fuzzy Hash: E290022530140502D142715D44146060009D7E1745F95C017E1424556DC7378A53A232
                            Function 014B2EE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 49b2b43bc3c3b38be97582351e4d42591846f8df4c7cb7b02770d1d46df353ac
                            • Instruction ID: 0480b5d7bceec278dd336422f524369fc343d30931b0de45592f4c7ea741ee8b
                            • Opcode Fuzzy Hash: 49b2b43bc3c3b38be97582351e4d42591846f8df4c7cb7b02770d1d46df353ac
                            • Instruction Fuzzy Hash: 4790026520180503D180755D4804607000597E0702F55C016A2064556ECB3B8D516235
                            Function 014B2E80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1614e518c1d0942a3811ef02229f1b8a6884a132ddcdd8fccd0e36691fe4e8b6
                            • Instruction ID: 2c955735f4f55fc59749d7c3078693651962005db40db242fb844d6690242177
                            • Opcode Fuzzy Hash: 1614e518c1d0942a3811ef02229f1b8a6884a132ddcdd8fccd0e36691fe4e8b6
                            • Instruction Fuzzy Hash: 3090022560140602D141715D4404616000A97E0641F95C027A1024556ECB378A92A231
                            Function 014B2EA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9464678d24d31c2ae0f4af0f6025c6b74a5dc96b320006a1d40e940eff35c86e
                            • Instruction ID: 3ddd1ee95c2949ed675d10a62ee2251d9eafb2cf23d3a936ad88df2b2e38e74d
                            • Opcode Fuzzy Hash: 9464678d24d31c2ae0f4af0f6025c6b74a5dc96b320006a1d40e940eff35c86e
                            • Instruction Fuzzy Hash: F190027520140502D180715D4404746000597E0701F55C016A5064555EC76B8ED56765
                            Function 014B3010 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfd6ebe83e49ba89297722ff7e58b0cd38ad525675c30821ea25d2bb9a36e1e5
                            • Instruction ID: 8ca8013a1c3849d272b52bd07106e351f327164371d65b8f510257762bd00720
                            • Opcode Fuzzy Hash: cfd6ebe83e49ba89297722ff7e58b0cd38ad525675c30821ea25d2bb9a36e1e5
                            • Instruction Fuzzy Hash: B490022520184542D180725D4804B0F410597F1602F95C01EA4156555CCA2789555721
                            Function 014B3090 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8916dd80c393e2ee36be1f4798803e4affa7b4a5be7931b7f802dc8e4bdf1701
                            • Instruction ID: cff316eebf631a6893ca8817c16d71ec2da92eefb2da0ddc1365ebcaa4f387e5
                            • Opcode Fuzzy Hash: 8916dd80c393e2ee36be1f4798803e4affa7b4a5be7931b7f802dc8e4bdf1701
                            • Instruction Fuzzy Hash: 1E90022524140902D180715D84147070006D7E0A01F55C016A0024555DC7278A6567B1
                            Function 014B39B0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55e93066f005e4c575f59a4e5598208c61f60cc2b6e8e5046f727d91aa50a67b
                            • Instruction ID: 94bf5fa108e1120ae322f0fadffe82eb8f327419ebec96a6ccdac95991b014a3
                            • Opcode Fuzzy Hash: 55e93066f005e4c575f59a4e5598208c61f60cc2b6e8e5046f727d91aa50a67b
                            • Instruction Fuzzy Hash: 7390022524545202D190715D44046164005B7F0601F55C026A0814595DC66789556321
                            Function 014B3D70 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa76eb2d59bb110fd75cc703dc1de900e51ef5a446e75b8152032e14b81252da
                            • Instruction ID: c79974629432b73cdcb4d0bfea9194d81cd7152d81a14e77abfe832cb5517c21
                            • Opcode Fuzzy Hash: aa76eb2d59bb110fd75cc703dc1de900e51ef5a446e75b8152032e14b81252da
                            • Instruction Fuzzy Hash: AB90023920140502D550715D5804646004697E0701F55D416A0424559DC76689A1A221
                            Function 014B3D10 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92d772d0570b1aa000c4c15113e91771ffad8edf5f87b67a6994e61ba5111815
                            • Instruction ID: 3d46cd50c3ddf9838059c2250f3299720a3b2f87dae0e688cf98ab064a1eeee7
                            • Opcode Fuzzy Hash: 92d772d0570b1aa000c4c15113e91771ffad8edf5f87b67a6994e61ba5111815
                            • Instruction Fuzzy Hash: 15900235202402429580725D5804A4E410597F1702B95D41AA0015555CCA2689615321
                            Function 014B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction ID: f458ac649c4505528ec7d3347e2d64298000f775e35b63f808b70b609707a861
                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction Fuzzy Hash:
                            Function 014B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 2a945e46dac85bb69dc55da320128b0d20b56d90a4979e7fd898b3adfc7664a7
                            • Instruction ID: dd435833311f2ad2de4b5006caff06a496e030515c172a58c989a5ebcd7a1997
                            • Opcode Fuzzy Hash: 2a945e46dac85bb69dc55da320128b0d20b56d90a4979e7fd898b3adfc7664a7
                            • Instruction Fuzzy Hash: 1551D4B5A00116ABDB21DB9D88D49BFFBB8BB19241724822FE469D7651D374EE0087E0
                            Function 01522410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: 193fd408e2eecdc8a39ca130946ea2f2592956ba0fb267daf59df56f154c2e14
                            • Instruction ID: 89172d5e0f04c445038d6567511058f870130f3992bdcedb7e15812f11f4a069
                            • Opcode Fuzzy Hash: 193fd408e2eecdc8a39ca130946ea2f2592956ba0fb267daf59df56f154c2e14
                            • Instruction Fuzzy Hash: E451F67AB00656AFDB31DE5DC89097EB7F8BB45204F04C85EE496CF681E674DA4087A0
                            Function 014A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • ExecuteOptions, xrefs: 014E46A0
                            • Execute=1, xrefs: 014E4713
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014E46FC
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 014E4787
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 014E4742
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 014E4725
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 014E4655
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: e0f798ef3e1d3b244c68fcee6ab6645a5d1e4477b26a983c0db53115089ca837
                            • Instruction ID: 0969687b5d647f85862089ab79aedcc26460b5cd68c04697851bbc3f4887b4ac
                            • Opcode Fuzzy Hash: e0f798ef3e1d3b244c68fcee6ab6645a5d1e4477b26a983c0db53115089ca837
                            • Instruction Fuzzy Hash: C9514D316002096AEF31ABA9DC85FFA3BB8AF34311F55009FD609972B1D772AA458F50
                            Function 01546940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                            • Instruction ID: ad71364dc896a1c273c04b4168ef61e03f0dc5b4e3510717159d3c30a0a69fe6
                            • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                            • Instruction Fuzzy Hash: 76020371508342AFD309CF19C890A6FBBE5FFD9708F04892DB9998B264DB71E905CB52
                            Function 014BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction ID: eb7c86418bdb2355b0493b03fa79ba37dc24b02f21a6eea2b364e0dafb5140c8
                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction Fuzzy Hash: 1C81BF70E052499EEF258E6CC8D17FEBBA1EF55320F18421BD865A73A1C7348851CB72
                            Function 015220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$[$]:%u
                            • API String ID: 48624451-2819853543
                            • Opcode ID: 52875dd0f3960f28de0e0c6cae187ed2bea8fd6bfa22f05e28cfd4b9d9247f24
                            • Instruction ID: 6861f6fabe636e3c9a270556431713862abdf1994b8c105e3aef96bf10761ad2
                            • Opcode Fuzzy Hash: 52875dd0f3960f28de0e0c6cae187ed2bea8fd6bfa22f05e28cfd4b9d9247f24
                            • Instruction Fuzzy Hash: C321517FA00129ABDB10DF69DC80EEEBBF8AF55644F15012AE905E7240E730D9018BA1
                            Function 0149F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Re-Waiting, xrefs: 014E031E
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014E02BD
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014E02E7
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: 19238eeaf3329b3e8ca3cd4165e413768377b2333ec594159dfc4ebe04f77909
                            • Instruction ID: b53fd39a5b8ce02910e3840f89f95ba5f7d7b7fd3428b006db15e2c4c68f035e
                            • Opcode Fuzzy Hash: 19238eeaf3329b3e8ca3cd4165e413768377b2333ec594159dfc4ebe04f77909
                            • Instruction Fuzzy Hash: 4AE17C306047429FDB25CF28C884B6ABFE0AB84314F140A5EF5A5CB3B1D7B5D949CB92
                            Function 014ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 014E7B7F
                            • RTL: Re-Waiting, xrefs: 014E7BAC
                            • RTL: Resource at %p, xrefs: 014E7B8E
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: 0c7c01ad74c404e6b2d4701c3e77d7999f5360d91a37356d8e2e242b5898ff90
                            • Instruction ID: 31e3466cc46d2ff997d0b9c6b3629bbafead0a04f61963bd63036e34f2b90b3c
                            • Opcode Fuzzy Hash: 0c7c01ad74c404e6b2d4701c3e77d7999f5360d91a37356d8e2e242b5898ff90
                            • Instruction Fuzzy Hash: 1941E3353007029FDB20CE29C850B6BB7E5EBA8721F150A1EFA56D77A0DB71E4058B91
                            Function 014AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014E728C
                            Strings
                            • RTL: Re-Waiting, xrefs: 014E72C1
                            • RTL: Resource at %p, xrefs: 014E72A3
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 014E7294
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 86794f5f4587f9520cc786ce42782021a454fe0ae8b8cb4f9c24e23bded6de68
                            • Instruction ID: 8a3104d5bdcac1e05eb990af1e226fd73ebcf2a5359bd83943b05b76d8b16123
                            • Opcode Fuzzy Hash: 86794f5f4587f9520cc786ce42782021a454fe0ae8b8cb4f9c24e23bded6de68
                            • Instruction Fuzzy Hash: BA41D235600603ABD721DF29CC41B6ABBE5FB64722F11062EF955AB3A0DB31F84687D1
                            Function 01522300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: %%%u$]:%u
                            • API String ID: 48624451-3050659472
                            • Opcode ID: 0c76b174db43d7fee1f8598b8a2565f4ca889ca1a46728390e29d3865619412b
                            • Instruction ID: e3327e7022ac408de15eb00b8536b5419affcf97a2cfc693b4060feb9a5f3d98
                            • Opcode Fuzzy Hash: 0c76b174db43d7fee1f8598b8a2565f4ca889ca1a46728390e29d3865619412b
                            • Instruction Fuzzy Hash: 313188776001299FDB60DF2DCC40BEE77F8FF65610F44455AE949E7140EB309A448BA0
                            Function 014B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction ID: 268cedf1a3ae51b3babf475ff1e8168ae5a35a09a53607b49e1f22ca9e42a576
                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction Fuzzy Hash: B1919E71E0020A9AEF24DF6DC8D0AFFBBA5AF84762F14451BE955A73E0D73089418B35
                            Function 01479126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: 0ab8631932f1d709116a8363100b49601fa4e2032618837fc2ca34ad7adf97c9
                            • Instruction ID: 8e05908e1bd472a2877fb6bc2ac4c98ad8bd0eec9bcee34b2f93a39b61b62082
                            • Opcode Fuzzy Hash: 0ab8631932f1d709116a8363100b49601fa4e2032618837fc2ca34ad7adf97c9
                            • Instruction Fuzzy Hash: DA813B71D002699BDB31DF54CC54BEEBAB4AB18714F0441DBEA19B7260D7709E85CFA0
                            Function 014FCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 014FCFBD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2343681886.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1440000_PO-0005082025 pdf.jbxd
                            Similarity
                            • API ID: CallFilterFunc@8
                            • String ID: @$@4_w@4_w
                            • API String ID: 4062629308-713214301
                            • Opcode ID: 8107e6fc92959cc715b6f149bbb4c4c0f196e61dd7fb13407f1ffe379712ef30
                            • Instruction ID: c053ad8755006d6c22907763bde4379904b42e9a304ea69ab4239458881404e9
                            • Opcode Fuzzy Hash: 8107e6fc92959cc715b6f149bbb4c4c0f196e61dd7fb13407f1ffe379712ef30
                            • Instruction Fuzzy Hash: 16418EB1900219DFDB219F9AC840AAEBBB8FF65B14F00412FEA15DB364D774D901DBA1