Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 2025918 pdf.exe

Overview

General Information

Sample name:PO 2025918 pdf.exe
Analysis ID:1590629
MD5:625d2fae7b900a58c7e9daed1f85cab3
SHA1:6c61eb8e5851778e4ed57044c50442dae2b875bd
SHA256:d1a82af2d052117e637c17671568650659a93541083f107e4d1b2d357935928d
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook, PureLog Stealer
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO 2025918 pdf.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\PO 2025918 pdf.exe" MD5: 625D2FAE7B900A58C7E9DAED1F85CAB3)
    • powershell.exe (PID: 6108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO 2025918 pdf.exe (PID: 3628 cmdline: "C:\Users\user\Desktop\PO 2025918 pdf.exe" MD5: 625D2FAE7B900A58C7E9DAED1F85CAB3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2202698189.00000000052A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.2186312611.00000000039C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000005.00000002.2392521464.00000000015E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000000.00000002.2179932515.0000000002A02000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO 2025918 pdf.exe.2dd459c.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.PO 2025918 pdf.exe.39e7590.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                5.2.PO 2025918 pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  0.2.PO 2025918 pdf.exe.52a0000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    5.2.PO 2025918 pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 2025918 pdf.exe", ParentImage: C:\Users\user\Desktop\PO 2025918 pdf.exe, ParentProcessId: 6984, ParentProcessName: PO 2025918 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", ProcessId: 6108, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 2025918 pdf.exe", ParentImage: C:\Users\user\Desktop\PO 2025918 pdf.exe, ParentProcessId: 6984, ParentProcessName: PO 2025918 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", ProcessId: 6108, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 2025918 pdf.exe", ParentImage: C:\Users\user\Desktop\PO 2025918 pdf.exe, ParentProcessId: 6984, ParentProcessName: PO 2025918 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", ProcessId: 6108, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: PO 2025918 pdf.exeVirustotal: Detection: 33%Perma Link
                      Source: PO 2025918 pdf.exeReversingLabs: Detection: 34%
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2392521464.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: PO 2025918 pdf.exeJoe Sandbox ML: detected
                      Source: PO 2025918 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO 2025918 pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: eBJB.pdb source: PO 2025918 pdf.exe
                      Source: Binary string: wntdll.pdbUGP source: PO 2025918 pdf.exe, 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO 2025918 pdf.exe, PO 2025918 pdf.exe, 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: eBJB.pdbSHA256 source: PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2179932515.00000000029F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PO 2025918 pdf.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2392521464.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0042C9C3 NtClose,5_2_0042C9C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040AD20 NtAllocateVirtualMemory,5_2_0040AD20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01732DF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01732C70
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017335C0 NtCreateMutant,LdrInitializeThunk,5_2_017335C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01734340 NtSetContextThread,5_2_01734340
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01734650 NtSuspendThread,5_2_01734650
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732B60 NtClose,5_2_01732B60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732BF0 NtAllocateVirtualMemory,5_2_01732BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732BE0 NtQueryValueKey,5_2_01732BE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732BA0 NtEnumerateValueKey,5_2_01732BA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732B80 NtQueryInformationFile,5_2_01732B80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732AF0 NtWriteFile,5_2_01732AF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732AD0 NtReadFile,5_2_01732AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732AB0 NtWaitForSingleObject,5_2_01732AB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732D30 NtUnmapViewOfSection,5_2_01732D30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732D10 NtMapViewOfSection,5_2_01732D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732D00 NtSetInformationFile,5_2_01732D00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732DD0 NtDelayExecution,5_2_01732DD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732DB0 NtEnumerateKey,5_2_01732DB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732C60 NtCreateKey,5_2_01732C60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732C00 NtQueryInformationProcess,5_2_01732C00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732CF0 NtOpenProcess,5_2_01732CF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732CC0 NtQueryVirtualMemory,5_2_01732CC0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732CA0 NtQueryInformationToken,5_2_01732CA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732F60 NtCreateProcessEx,5_2_01732F60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732F30 NtCreateSection,5_2_01732F30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732FE0 NtCreateFile,5_2_01732FE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732FB0 NtResumeThread,5_2_01732FB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732FA0 NtQuerySection,5_2_01732FA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732F90 NtProtectVirtualMemory,5_2_01732F90
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732E30 NtWriteVirtualMemory,5_2_01732E30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732EE0 NtQueueApcThread,5_2_01732EE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732EA0 NtAdjustPrivilegesToken,5_2_01732EA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732E80 NtReadVirtualMemory,5_2_01732E80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01733010 NtOpenDirectoryObject,5_2_01733010
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01733090 NtSetValueKey,5_2_01733090
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017339B0 NtGetContextThread,5_2_017339B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01733D70 NtOpenThread,5_2_01733D70
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01733D10 NtOpenProcessToken,5_2_01733D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_027D42040_2_027D4204
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_027D70180_2_027D7018
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_027DD8EC0_2_027DD8EC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004100DA5_2_004100DA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004100E35_2_004100E3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004012405_2_00401240
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004032305_2_00403230
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00416AD05_2_00416AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00416AD35_2_00416AD3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040E2E35_2_0040E2E3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00401B405_2_00401B40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004103035_2_00410303
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00401B365_2_00401B36
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040E4275_2_0040E427
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040E4335_2_0040E433
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040264C5_2_0040264C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004026505_2_00402650
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004026695_2_00402669
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0042EFC35_2_0042EFC3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017881585_2_01788158
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179A1185_2_0179A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F01005_2_016F0100
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B81CC5_2_017B81CC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C01AA5_2_017C01AA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B41A25_2_017B41A2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017920005_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BA3525_2_017BA352
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E3F05_2_0170E3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C03E65_2_017C03E6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A02745_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017802C05_2_017802C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017005355_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C05915_2_017C0591
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B24465_2_017B2446
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A44205_2_017A4420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AE4F65_2_017AE4F6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017007705_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017247505_2_01724750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FC7C05_2_016FC7C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C6E05_2_0171C6E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017169625_2_01716962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A05_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017CA9A65_2_017CA9A6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170A8405_2_0170A840
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017028405_2_01702840
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E8F05_2_0172E8F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E68B85_2_016E68B8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BAB405_2_017BAB40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B6BD75_2_017B6BD7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FEA805_2_016FEA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179CD1F5_2_0179CD1F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170AD005_2_0170AD00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FADE05_2_016FADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01718DBF5_2_01718DBF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700C005_2_01700C00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0CF25_2_016F0CF2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0CB55_2_017A0CB5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01774F405_2_01774F40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01720F305_2_01720F30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A2F305_2_017A2F30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01742F285_2_01742F28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170CFE05_2_0170CFE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F2FC85_2_016F2FC8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177EFA05_2_0177EFA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700E595_2_01700E59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BEE265_2_017BEE26
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BEEDB5_2_017BEEDB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712E905_2_01712E90
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BCE935_2_017BCE93
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017CB16B5_2_017CB16B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EF1725_2_016EF172
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173516C5_2_0173516C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170B1B05_2_0170B1B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B70E95_2_017B70E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BF0E05_2_017BF0E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017070C05_2_017070C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AF0CC5_2_017AF0CC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016ED34C5_2_016ED34C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B132D5_2_017B132D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174739A5_2_0174739A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A12ED5_2_017A12ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171B2C05_2_0171B2C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017052A05_2_017052A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B75715_2_017B7571
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C95C35_2_017C95C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179D5B05_2_0179D5B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F14605_2_016F1460
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BF43F5_2_017BF43F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BF7B05_2_017BF7B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017456305_2_01745630
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B16CC5_2_017B16CC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017099505_2_01709950
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171B9505_2_0171B950
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017959105_2_01795910
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176D8005_2_0176D800
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017038E05_2_017038E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BFB765_2_017BFB76
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01775BF05_2_01775BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173DBF95_2_0173DBF9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171FB805_2_0171FB80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01773A6C5_2_01773A6C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BFA495_2_017BFA49
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B7A465_2_017B7A46
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017ADAC65_2_017ADAC6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01745AA05_2_01745AA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179DAAC5_2_0179DAAC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A1AA35_2_017A1AA3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B7D735_2_017B7D73
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B1D5A5_2_017B1D5A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01703D405_2_01703D40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171FDC05_2_0171FDC0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01779C325_2_01779C32
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BFCF25_2_017BFCF2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BFF095_2_017BFF09
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C3FD55_2_016C3FD5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C3FD25_2_016C3FD2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BFFB15_2_017BFFB1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01701F925_2_01701F92
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01709EB05_2_01709EB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 01735130 appears 58 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 0176EA12 appears 86 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 0177F290 appears 105 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 01747E54 appears 111 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 016EB970 appears 280 times
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2179932515.0000000002A02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2211073419.0000000007680000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2202698189.00000000052A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2178335918.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2186312611.00000000039C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000000.2166476435.00000000006CE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeBJB.exeB vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000005.00000002.2392642271.00000000017ED000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exeBinary or memory string: OriginalFilenameeBJB.exeB vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO 2025918 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal92.troj.evad.winEXE@6/6@0/0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 2025918 pdf.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2cioplv.oug.ps1Jump to behavior
                      Source: PO 2025918 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PO 2025918 pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: PO 2025918 pdf.exe, 00000000.00000000.2166406466.0000000000612000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);
                      Source: PO 2025918 pdf.exeVirustotal: Detection: 33%
                      Source: PO 2025918 pdf.exeReversingLabs: Detection: 34%
                      Source: unknownProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: PO 2025918 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO 2025918 pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: PO 2025918 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: eBJB.pdb source: PO 2025918 pdf.exe
                      Source: Binary string: wntdll.pdbUGP source: PO 2025918 pdf.exe, 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO 2025918 pdf.exe, PO 2025918 pdf.exe, 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: eBJB.pdbSHA256 source: PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exeStatic PE information: 0x8AEDD8A2 [Wed Nov 11 08:28:18 2043 UTC]
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00411A5A push edi; iretd 5_2_00411A5B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00415A13 push esp; ret 5_2_00415A1E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0041623C push edi; retf 5_2_0041623D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040235F push ds; ret 5_2_0040238E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004143E3 push ebx; ret 5_2_00414440
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004143E3 push edi; retf 5_2_00414477
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0041645E push eax; iretd 5_2_00416462
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004034F0 push eax; ret 5_2_004034F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00404616 push edx; ret 5_2_00404617
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C225F pushad ; ret 5_2_016C27F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C27FA pushad ; ret 5_2_016C27F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F09AD push ecx; mov dword ptr [esp], ecx5_2_016F09B6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C283D push eax; iretd 5_2_016C2858
                      Source: PO 2025918 pdf.exeStatic PE information: section name: .text entropy: 7.75981250034453

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PO 2025918 pdf.exe PID: 6984, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 49C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 8AE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 9AE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 9CE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: ACE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173096E rdtsc 5_2_0173096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5526Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2851Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeAPI coverage: 0.6 %
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exe TID: 6572Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2452Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exe TID: 2460Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173096E rdtsc 5_2_0173096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00417A63 LdrLoadDll,5_2_00417A63
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4164 mov eax, dword ptr fs:[00000030h]5_2_017C4164
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4164 mov eax, dword ptr fs:[00000030h]5_2_017C4164
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01788158 mov eax, dword ptr fs:[00000030h]5_2_01788158
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EC156 mov eax, dword ptr fs:[00000030h]5_2_016EC156
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6154 mov eax, dword ptr fs:[00000030h]5_2_016F6154
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6154 mov eax, dword ptr fs:[00000030h]5_2_016F6154
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01784144 mov eax, dword ptr fs:[00000030h]5_2_01784144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01784144 mov eax, dword ptr fs:[00000030h]5_2_01784144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01784144 mov ecx, dword ptr fs:[00000030h]5_2_01784144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01784144 mov eax, dword ptr fs:[00000030h]5_2_01784144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01784144 mov eax, dword ptr fs:[00000030h]5_2_01784144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01720124 mov eax, dword ptr fs:[00000030h]5_2_01720124
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179A118 mov ecx, dword ptr fs:[00000030h]5_2_0179A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179A118 mov eax, dword ptr fs:[00000030h]5_2_0179A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179A118 mov eax, dword ptr fs:[00000030h]5_2_0179A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179A118 mov eax, dword ptr fs:[00000030h]5_2_0179A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B0115 mov eax, dword ptr fs:[00000030h]5_2_017B0115
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov eax, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov ecx, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov eax, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov eax, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov ecx, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov eax, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov eax, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov ecx, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov eax, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E10E mov ecx, dword ptr fs:[00000030h]5_2_0179E10E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017201F8 mov eax, dword ptr fs:[00000030h]5_2_017201F8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C61E5 mov eax, dword ptr fs:[00000030h]5_2_017C61E5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E1D0 mov eax, dword ptr fs:[00000030h]5_2_0176E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E1D0 mov eax, dword ptr fs:[00000030h]5_2_0176E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0176E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E1D0 mov eax, dword ptr fs:[00000030h]5_2_0176E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E1D0 mov eax, dword ptr fs:[00000030h]5_2_0176E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B61C3 mov eax, dword ptr fs:[00000030h]5_2_017B61C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B61C3 mov eax, dword ptr fs:[00000030h]5_2_017B61C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177019F mov eax, dword ptr fs:[00000030h]5_2_0177019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177019F mov eax, dword ptr fs:[00000030h]5_2_0177019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177019F mov eax, dword ptr fs:[00000030h]5_2_0177019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177019F mov eax, dword ptr fs:[00000030h]5_2_0177019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AC188 mov eax, dword ptr fs:[00000030h]5_2_017AC188
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AC188 mov eax, dword ptr fs:[00000030h]5_2_017AC188
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01730185 mov eax, dword ptr fs:[00000030h]5_2_01730185
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EA197 mov eax, dword ptr fs:[00000030h]5_2_016EA197
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EA197 mov eax, dword ptr fs:[00000030h]5_2_016EA197
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EA197 mov eax, dword ptr fs:[00000030h]5_2_016EA197
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01794180 mov eax, dword ptr fs:[00000030h]5_2_01794180
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01794180 mov eax, dword ptr fs:[00000030h]5_2_01794180
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C073 mov eax, dword ptr fs:[00000030h]5_2_0171C073
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776050 mov eax, dword ptr fs:[00000030h]5_2_01776050
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F2050 mov eax, dword ptr fs:[00000030h]5_2_016F2050
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01786030 mov eax, dword ptr fs:[00000030h]5_2_01786030
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EA020 mov eax, dword ptr fs:[00000030h]5_2_016EA020
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EC020 mov eax, dword ptr fs:[00000030h]5_2_016EC020
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E016 mov eax, dword ptr fs:[00000030h]5_2_0170E016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E016 mov eax, dword ptr fs:[00000030h]5_2_0170E016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E016 mov eax, dword ptr fs:[00000030h]5_2_0170E016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E016 mov eax, dword ptr fs:[00000030h]5_2_0170E016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01774000 mov ecx, dword ptr fs:[00000030h]5_2_01774000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01792000 mov eax, dword ptr fs:[00000030h]5_2_01792000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017320F0 mov ecx, dword ptr fs:[00000030h]5_2_017320F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F80E9 mov eax, dword ptr fs:[00000030h]5_2_016F80E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EA0E3 mov ecx, dword ptr fs:[00000030h]5_2_016EA0E3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017760E0 mov eax, dword ptr fs:[00000030h]5_2_017760E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EC0F0 mov eax, dword ptr fs:[00000030h]5_2_016EC0F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017720DE mov eax, dword ptr fs:[00000030h]5_2_017720DE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B60B8 mov eax, dword ptr fs:[00000030h]5_2_017B60B8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B60B8 mov ecx, dword ptr fs:[00000030h]5_2_017B60B8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E80A0 mov eax, dword ptr fs:[00000030h]5_2_016E80A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017880A8 mov eax, dword ptr fs:[00000030h]5_2_017880A8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F208A mov eax, dword ptr fs:[00000030h]5_2_016F208A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179437C mov eax, dword ptr fs:[00000030h]5_2_0179437C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BA352 mov eax, dword ptr fs:[00000030h]5_2_017BA352
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01798350 mov ecx, dword ptr fs:[00000030h]5_2_01798350
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177035C mov eax, dword ptr fs:[00000030h]5_2_0177035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177035C mov eax, dword ptr fs:[00000030h]5_2_0177035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177035C mov eax, dword ptr fs:[00000030h]5_2_0177035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177035C mov ecx, dword ptr fs:[00000030h]5_2_0177035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177035C mov eax, dword ptr fs:[00000030h]5_2_0177035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177035C mov eax, dword ptr fs:[00000030h]5_2_0177035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C634F mov eax, dword ptr fs:[00000030h]5_2_017C634F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01772349 mov eax, dword ptr fs:[00000030h]5_2_01772349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C8324 mov eax, dword ptr fs:[00000030h]5_2_017C8324
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C8324 mov ecx, dword ptr fs:[00000030h]5_2_017C8324
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C8324 mov eax, dword ptr fs:[00000030h]5_2_017C8324
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C8324 mov eax, dword ptr fs:[00000030h]5_2_017C8324
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710310 mov ecx, dword ptr fs:[00000030h]5_2_01710310
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A30B mov eax, dword ptr fs:[00000030h]5_2_0172A30B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A30B mov eax, dword ptr fs:[00000030h]5_2_0172A30B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A30B mov eax, dword ptr fs:[00000030h]5_2_0172A30B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EC310 mov ecx, dword ptr fs:[00000030h]5_2_016EC310
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E3F0 mov eax, dword ptr fs:[00000030h]5_2_0170E3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E3F0 mov eax, dword ptr fs:[00000030h]5_2_0170E3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E3F0 mov eax, dword ptr fs:[00000030h]5_2_0170E3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017263FF mov eax, dword ptr fs:[00000030h]5_2_017263FF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017003E9 mov eax, dword ptr fs:[00000030h]5_2_017003E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E3DB mov eax, dword ptr fs:[00000030h]5_2_0179E3DB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E3DB mov eax, dword ptr fs:[00000030h]5_2_0179E3DB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E3DB mov ecx, dword ptr fs:[00000030h]5_2_0179E3DB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179E3DB mov eax, dword ptr fs:[00000030h]5_2_0179E3DB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017943D4 mov eax, dword ptr fs:[00000030h]5_2_017943D4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017943D4 mov eax, dword ptr fs:[00000030h]5_2_017943D4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA3C0 mov eax, dword ptr fs:[00000030h]5_2_016FA3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA3C0 mov eax, dword ptr fs:[00000030h]5_2_016FA3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA3C0 mov eax, dword ptr fs:[00000030h]5_2_016FA3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA3C0 mov eax, dword ptr fs:[00000030h]5_2_016FA3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA3C0 mov eax, dword ptr fs:[00000030h]5_2_016FA3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA3C0 mov eax, dword ptr fs:[00000030h]5_2_016FA3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F83C0 mov eax, dword ptr fs:[00000030h]5_2_016F83C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F83C0 mov eax, dword ptr fs:[00000030h]5_2_016F83C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F83C0 mov eax, dword ptr fs:[00000030h]5_2_016F83C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F83C0 mov eax, dword ptr fs:[00000030h]5_2_016F83C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AC3CD mov eax, dword ptr fs:[00000030h]5_2_017AC3CD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017763C0 mov eax, dword ptr fs:[00000030h]5_2_017763C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EE388 mov eax, dword ptr fs:[00000030h]5_2_016EE388
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EE388 mov eax, dword ptr fs:[00000030h]5_2_016EE388
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EE388 mov eax, dword ptr fs:[00000030h]5_2_016EE388
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E8397 mov eax, dword ptr fs:[00000030h]5_2_016E8397
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E8397 mov eax, dword ptr fs:[00000030h]5_2_016E8397
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E8397 mov eax, dword ptr fs:[00000030h]5_2_016E8397
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171438F mov eax, dword ptr fs:[00000030h]5_2_0171438F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171438F mov eax, dword ptr fs:[00000030h]5_2_0171438F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E826B mov eax, dword ptr fs:[00000030h]5_2_016E826B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A0274 mov eax, dword ptr fs:[00000030h]5_2_017A0274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4260 mov eax, dword ptr fs:[00000030h]5_2_016F4260
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4260 mov eax, dword ptr fs:[00000030h]5_2_016F4260
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4260 mov eax, dword ptr fs:[00000030h]5_2_016F4260
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C625D mov eax, dword ptr fs:[00000030h]5_2_017C625D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AA250 mov eax, dword ptr fs:[00000030h]5_2_017AA250
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AA250 mov eax, dword ptr fs:[00000030h]5_2_017AA250
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01778243 mov eax, dword ptr fs:[00000030h]5_2_01778243
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01778243 mov ecx, dword ptr fs:[00000030h]5_2_01778243
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6259 mov eax, dword ptr fs:[00000030h]5_2_016F6259
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EA250 mov eax, dword ptr fs:[00000030h]5_2_016EA250
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E823B mov eax, dword ptr fs:[00000030h]5_2_016E823B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017002E1 mov eax, dword ptr fs:[00000030h]5_2_017002E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017002E1 mov eax, dword ptr fs:[00000030h]5_2_017002E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017002E1 mov eax, dword ptr fs:[00000030h]5_2_017002E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C62D6 mov eax, dword ptr fs:[00000030h]5_2_017C62D6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA2C3 mov eax, dword ptr fs:[00000030h]5_2_016FA2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA2C3 mov eax, dword ptr fs:[00000030h]5_2_016FA2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA2C3 mov eax, dword ptr fs:[00000030h]5_2_016FA2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA2C3 mov eax, dword ptr fs:[00000030h]5_2_016FA2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA2C3 mov eax, dword ptr fs:[00000030h]5_2_016FA2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017002A0 mov eax, dword ptr fs:[00000030h]5_2_017002A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017002A0 mov eax, dword ptr fs:[00000030h]5_2_017002A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017862A0 mov eax, dword ptr fs:[00000030h]5_2_017862A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017862A0 mov ecx, dword ptr fs:[00000030h]5_2_017862A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017862A0 mov eax, dword ptr fs:[00000030h]5_2_017862A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017862A0 mov eax, dword ptr fs:[00000030h]5_2_017862A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017862A0 mov eax, dword ptr fs:[00000030h]5_2_017862A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017862A0 mov eax, dword ptr fs:[00000030h]5_2_017862A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01770283 mov eax, dword ptr fs:[00000030h]5_2_01770283
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01770283 mov eax, dword ptr fs:[00000030h]5_2_01770283
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01770283 mov eax, dword ptr fs:[00000030h]5_2_01770283
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E284 mov eax, dword ptr fs:[00000030h]5_2_0172E284
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E284 mov eax, dword ptr fs:[00000030h]5_2_0172E284
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172656A mov eax, dword ptr fs:[00000030h]5_2_0172656A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172656A mov eax, dword ptr fs:[00000030h]5_2_0172656A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172656A mov eax, dword ptr fs:[00000030h]5_2_0172656A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8550 mov eax, dword ptr fs:[00000030h]5_2_016F8550
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8550 mov eax, dword ptr fs:[00000030h]5_2_016F8550
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700535 mov eax, dword ptr fs:[00000030h]5_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700535 mov eax, dword ptr fs:[00000030h]5_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700535 mov eax, dword ptr fs:[00000030h]5_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700535 mov eax, dword ptr fs:[00000030h]5_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700535 mov eax, dword ptr fs:[00000030h]5_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700535 mov eax, dword ptr fs:[00000030h]5_2_01700535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E53E mov eax, dword ptr fs:[00000030h]5_2_0171E53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E53E mov eax, dword ptr fs:[00000030h]5_2_0171E53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E53E mov eax, dword ptr fs:[00000030h]5_2_0171E53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E53E mov eax, dword ptr fs:[00000030h]5_2_0171E53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E53E mov eax, dword ptr fs:[00000030h]5_2_0171E53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01786500 mov eax, dword ptr fs:[00000030h]5_2_01786500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4500 mov eax, dword ptr fs:[00000030h]5_2_017C4500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F25E0 mov eax, dword ptr fs:[00000030h]5_2_016F25E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E5E7 mov eax, dword ptr fs:[00000030h]5_2_0171E5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C5ED mov eax, dword ptr fs:[00000030h]5_2_0172C5ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C5ED mov eax, dword ptr fs:[00000030h]5_2_0172C5ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A5D0 mov eax, dword ptr fs:[00000030h]5_2_0172A5D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A5D0 mov eax, dword ptr fs:[00000030h]5_2_0172A5D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E5CF mov eax, dword ptr fs:[00000030h]5_2_0172E5CF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E5CF mov eax, dword ptr fs:[00000030h]5_2_0172E5CF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F65D0 mov eax, dword ptr fs:[00000030h]5_2_016F65D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017145B1 mov eax, dword ptr fs:[00000030h]5_2_017145B1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017145B1 mov eax, dword ptr fs:[00000030h]5_2_017145B1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017705A7 mov eax, dword ptr fs:[00000030h]5_2_017705A7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017705A7 mov eax, dword ptr fs:[00000030h]5_2_017705A7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017705A7 mov eax, dword ptr fs:[00000030h]5_2_017705A7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F2582 mov eax, dword ptr fs:[00000030h]5_2_016F2582
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F2582 mov ecx, dword ptr fs:[00000030h]5_2_016F2582
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E59C mov eax, dword ptr fs:[00000030h]5_2_0172E59C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724588 mov eax, dword ptr fs:[00000030h]5_2_01724588
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171A470 mov eax, dword ptr fs:[00000030h]5_2_0171A470
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171A470 mov eax, dword ptr fs:[00000030h]5_2_0171A470
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171A470 mov eax, dword ptr fs:[00000030h]5_2_0171A470
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177C460 mov ecx, dword ptr fs:[00000030h]5_2_0177C460
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171245A mov eax, dword ptr fs:[00000030h]5_2_0171245A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AA456 mov eax, dword ptr fs:[00000030h]5_2_017AA456
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172E443 mov eax, dword ptr fs:[00000030h]5_2_0172E443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E645D mov eax, dword ptr fs:[00000030h]5_2_016E645D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A430 mov eax, dword ptr fs:[00000030h]5_2_0172A430
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EC427 mov eax, dword ptr fs:[00000030h]5_2_016EC427
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EE420 mov eax, dword ptr fs:[00000030h]5_2_016EE420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EE420 mov eax, dword ptr fs:[00000030h]5_2_016EE420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016EE420 mov eax, dword ptr fs:[00000030h]5_2_016EE420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01776420 mov eax, dword ptr fs:[00000030h]5_2_01776420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01728402 mov eax, dword ptr fs:[00000030h]5_2_01728402
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01728402 mov eax, dword ptr fs:[00000030h]5_2_01728402
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01728402 mov eax, dword ptr fs:[00000030h]5_2_01728402
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F04E5 mov ecx, dword ptr fs:[00000030h]5_2_016F04E5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017244B0 mov ecx, dword ptr fs:[00000030h]5_2_017244B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F64AB mov eax, dword ptr fs:[00000030h]5_2_016F64AB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177A4B0 mov eax, dword ptr fs:[00000030h]5_2_0177A4B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017AA49A mov eax, dword ptr fs:[00000030h]5_2_017AA49A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700770 mov eax, dword ptr fs:[00000030h]5_2_01700770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8770 mov eax, dword ptr fs:[00000030h]5_2_016F8770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01774755 mov eax, dword ptr fs:[00000030h]5_2_01774755
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732750 mov eax, dword ptr fs:[00000030h]5_2_01732750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732750 mov eax, dword ptr fs:[00000030h]5_2_01732750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177E75D mov eax, dword ptr fs:[00000030h]5_2_0177E75D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172674D mov esi, dword ptr fs:[00000030h]5_2_0172674D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172674D mov eax, dword ptr fs:[00000030h]5_2_0172674D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172674D mov eax, dword ptr fs:[00000030h]5_2_0172674D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0750 mov eax, dword ptr fs:[00000030h]5_2_016F0750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176C730 mov eax, dword ptr fs:[00000030h]5_2_0176C730
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172273C mov eax, dword ptr fs:[00000030h]5_2_0172273C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172273C mov ecx, dword ptr fs:[00000030h]5_2_0172273C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172273C mov eax, dword ptr fs:[00000030h]5_2_0172273C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C720 mov eax, dword ptr fs:[00000030h]5_2_0172C720
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C720 mov eax, dword ptr fs:[00000030h]5_2_0172C720
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01720710 mov eax, dword ptr fs:[00000030h]5_2_01720710
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C700 mov eax, dword ptr fs:[00000030h]5_2_0172C700
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0710 mov eax, dword ptr fs:[00000030h]5_2_016F0710
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F47FB mov eax, dword ptr fs:[00000030h]5_2_016F47FB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F47FB mov eax, dword ptr fs:[00000030h]5_2_016F47FB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177E7E1 mov eax, dword ptr fs:[00000030h]5_2_0177E7E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017127ED mov eax, dword ptr fs:[00000030h]5_2_017127ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017127ED mov eax, dword ptr fs:[00000030h]5_2_017127ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017127ED mov eax, dword ptr fs:[00000030h]5_2_017127ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FC7C0 mov eax, dword ptr fs:[00000030h]5_2_016FC7C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017707C3 mov eax, dword ptr fs:[00000030h]5_2_017707C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F07AF mov eax, dword ptr fs:[00000030h]5_2_016F07AF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A47A0 mov eax, dword ptr fs:[00000030h]5_2_017A47A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179678E mov eax, dword ptr fs:[00000030h]5_2_0179678E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01722674 mov eax, dword ptr fs:[00000030h]5_2_01722674
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A660 mov eax, dword ptr fs:[00000030h]5_2_0172A660
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A660 mov eax, dword ptr fs:[00000030h]5_2_0172A660
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B866E mov eax, dword ptr fs:[00000030h]5_2_017B866E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B866E mov eax, dword ptr fs:[00000030h]5_2_017B866E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170C640 mov eax, dword ptr fs:[00000030h]5_2_0170C640
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F262C mov eax, dword ptr fs:[00000030h]5_2_016F262C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726620 mov eax, dword ptr fs:[00000030h]5_2_01726620
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01728620 mov eax, dword ptr fs:[00000030h]5_2_01728620
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E627 mov eax, dword ptr fs:[00000030h]5_2_0170E627
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732619 mov eax, dword ptr fs:[00000030h]5_2_01732619
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170260B mov eax, dword ptr fs:[00000030h]5_2_0170260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E609 mov eax, dword ptr fs:[00000030h]5_2_0176E609
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E6F2 mov eax, dword ptr fs:[00000030h]5_2_0176E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E6F2 mov eax, dword ptr fs:[00000030h]5_2_0176E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E6F2 mov eax, dword ptr fs:[00000030h]5_2_0176E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E6F2 mov eax, dword ptr fs:[00000030h]5_2_0176E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017706F1 mov eax, dword ptr fs:[00000030h]5_2_017706F1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017706F1 mov eax, dword ptr fs:[00000030h]5_2_017706F1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0172A6C7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A6C7 mov eax, dword ptr fs:[00000030h]5_2_0172A6C7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017266B0 mov eax, dword ptr fs:[00000030h]5_2_017266B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C6A6 mov eax, dword ptr fs:[00000030h]5_2_0172C6A6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4690 mov eax, dword ptr fs:[00000030h]5_2_016F4690
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4690 mov eax, dword ptr fs:[00000030h]5_2_016F4690
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01794978 mov eax, dword ptr fs:[00000030h]5_2_01794978
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01794978 mov eax, dword ptr fs:[00000030h]5_2_01794978
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177C97C mov eax, dword ptr fs:[00000030h]5_2_0177C97C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716962 mov eax, dword ptr fs:[00000030h]5_2_01716962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716962 mov eax, dword ptr fs:[00000030h]5_2_01716962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716962 mov eax, dword ptr fs:[00000030h]5_2_01716962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173096E mov eax, dword ptr fs:[00000030h]5_2_0173096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173096E mov edx, dword ptr fs:[00000030h]5_2_0173096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173096E mov eax, dword ptr fs:[00000030h]5_2_0173096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01770946 mov eax, dword ptr fs:[00000030h]5_2_01770946
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4940 mov eax, dword ptr fs:[00000030h]5_2_017C4940
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0178892B mov eax, dword ptr fs:[00000030h]5_2_0178892B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177892A mov eax, dword ptr fs:[00000030h]5_2_0177892A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177C912 mov eax, dword ptr fs:[00000030h]5_2_0177C912
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E8918 mov eax, dword ptr fs:[00000030h]5_2_016E8918
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E8918 mov eax, dword ptr fs:[00000030h]5_2_016E8918
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E908 mov eax, dword ptr fs:[00000030h]5_2_0176E908
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176E908 mov eax, dword ptr fs:[00000030h]5_2_0176E908
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017229F9 mov eax, dword ptr fs:[00000030h]5_2_017229F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017229F9 mov eax, dword ptr fs:[00000030h]5_2_017229F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177E9E0 mov eax, dword ptr fs:[00000030h]5_2_0177E9E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017249D0 mov eax, dword ptr fs:[00000030h]5_2_017249D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BA9D3 mov eax, dword ptr fs:[00000030h]5_2_017BA9D3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017869C0 mov eax, dword ptr fs:[00000030h]5_2_017869C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA9D0 mov eax, dword ptr fs:[00000030h]5_2_016FA9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA9D0 mov eax, dword ptr fs:[00000030h]5_2_016FA9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA9D0 mov eax, dword ptr fs:[00000030h]5_2_016FA9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA9D0 mov eax, dword ptr fs:[00000030h]5_2_016FA9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA9D0 mov eax, dword ptr fs:[00000030h]5_2_016FA9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016FA9D0 mov eax, dword ptr fs:[00000030h]5_2_016FA9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F09AD mov eax, dword ptr fs:[00000030h]5_2_016F09AD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F09AD mov eax, dword ptr fs:[00000030h]5_2_016F09AD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017789B3 mov esi, dword ptr fs:[00000030h]5_2_017789B3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017789B3 mov eax, dword ptr fs:[00000030h]5_2_017789B3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017789B3 mov eax, dword ptr fs:[00000030h]5_2_017789B3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017029A0 mov eax, dword ptr fs:[00000030h]5_2_017029A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177E872 mov eax, dword ptr fs:[00000030h]5_2_0177E872
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177E872 mov eax, dword ptr fs:[00000030h]5_2_0177E872
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01786870 mov eax, dword ptr fs:[00000030h]5_2_01786870
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01786870 mov eax, dword ptr fs:[00000030h]5_2_01786870
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01720854 mov eax, dword ptr fs:[00000030h]5_2_01720854
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01702840 mov ecx, dword ptr fs:[00000030h]5_2_01702840
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4859 mov eax, dword ptr fs:[00000030h]5_2_016F4859
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F4859 mov eax, dword ptr fs:[00000030h]5_2_016F4859
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172A830 mov eax, dword ptr fs:[00000030h]5_2_0172A830
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179483A mov eax, dword ptr fs:[00000030h]5_2_0179483A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179483A mov eax, dword ptr fs:[00000030h]5_2_0179483A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712835 mov eax, dword ptr fs:[00000030h]5_2_01712835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712835 mov eax, dword ptr fs:[00000030h]5_2_01712835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712835 mov eax, dword ptr fs:[00000030h]5_2_01712835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712835 mov ecx, dword ptr fs:[00000030h]5_2_01712835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712835 mov eax, dword ptr fs:[00000030h]5_2_01712835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712835 mov eax, dword ptr fs:[00000030h]5_2_01712835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177C810 mov eax, dword ptr fs:[00000030h]5_2_0177C810
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C8F9 mov eax, dword ptr fs:[00000030h]5_2_0172C8F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172C8F9 mov eax, dword ptr fs:[00000030h]5_2_0172C8F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BA8E4 mov eax, dword ptr fs:[00000030h]5_2_017BA8E4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E8C0 mov eax, dword ptr fs:[00000030h]5_2_0171E8C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C08C0 mov eax, dword ptr fs:[00000030h]5_2_017C08C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0887 mov eax, dword ptr fs:[00000030h]5_2_016F0887
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177C89D mov eax, dword ptr fs:[00000030h]5_2_0177C89D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016ECB7E mov eax, dword ptr fs:[00000030h]5_2_016ECB7E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179EB50 mov eax, dword ptr fs:[00000030h]5_2_0179EB50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C2B57 mov eax, dword ptr fs:[00000030h]5_2_017C2B57
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C2B57 mov eax, dword ptr fs:[00000030h]5_2_017C2B57
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C2B57 mov eax, dword ptr fs:[00000030h]5_2_017C2B57
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C2B57 mov eax, dword ptr fs:[00000030h]5_2_017C2B57
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A4B4B mov eax, dword ptr fs:[00000030h]5_2_017A4B4B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A4B4B mov eax, dword ptr fs:[00000030h]5_2_017A4B4B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01786B40 mov eax, dword ptr fs:[00000030h]5_2_01786B40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01786B40 mov eax, dword ptr fs:[00000030h]5_2_01786B40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017BAB40 mov eax, dword ptr fs:[00000030h]5_2_017BAB40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01798B42 mov eax, dword ptr fs:[00000030h]5_2_01798B42
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E8B50 mov eax, dword ptr fs:[00000030h]5_2_016E8B50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171EB20 mov eax, dword ptr fs:[00000030h]5_2_0171EB20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171EB20 mov eax, dword ptr fs:[00000030h]5_2_0171EB20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B8B28 mov eax, dword ptr fs:[00000030h]5_2_017B8B28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017B8B28 mov eax, dword ptr fs:[00000030h]5_2_017B8B28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176EB1D mov eax, dword ptr fs:[00000030h]5_2_0176EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017C4B00 mov eax, dword ptr fs:[00000030h]5_2_017C4B00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177CBF0 mov eax, dword ptr fs:[00000030h]5_2_0177CBF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171EBFC mov eax, dword ptr fs:[00000030h]5_2_0171EBFC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8BF0 mov eax, dword ptr fs:[00000030h]5_2_016F8BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8BF0 mov eax, dword ptr fs:[00000030h]5_2_016F8BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8BF0 mov eax, dword ptr fs:[00000030h]5_2_016F8BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0BCD mov eax, dword ptr fs:[00000030h]5_2_016F0BCD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0BCD mov eax, dword ptr fs:[00000030h]5_2_016F0BCD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0BCD mov eax, dword ptr fs:[00000030h]5_2_016F0BCD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179EBD0 mov eax, dword ptr fs:[00000030h]5_2_0179EBD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710BCB mov eax, dword ptr fs:[00000030h]5_2_01710BCB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710BCB mov eax, dword ptr fs:[00000030h]5_2_01710BCB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710BCB mov eax, dword ptr fs:[00000030h]5_2_01710BCB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A4BB0 mov eax, dword ptr fs:[00000030h]5_2_017A4BB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017A4BB0 mov eax, dword ptr fs:[00000030h]5_2_017A4BB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700BBE mov eax, dword ptr fs:[00000030h]5_2_01700BBE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700BBE mov eax, dword ptr fs:[00000030h]5_2_01700BBE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176CA72 mov eax, dword ptr fs:[00000030h]5_2_0176CA72
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176CA72 mov eax, dword ptr fs:[00000030h]5_2_0176CA72
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0179EA60 mov eax, dword ptr fs:[00000030h]5_2_0179EA60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172CA6F mov eax, dword ptr fs:[00000030h]5_2_0172CA6F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172CA6F mov eax, dword ptr fs:[00000030h]5_2_0172CA6F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172CA6F mov eax, dword ptr fs:[00000030h]5_2_0172CA6F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700A5B mov eax, dword ptr fs:[00000030h]5_2_01700A5B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01700A5B mov eax, dword ptr fs:[00000030h]5_2_01700A5B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F6A50 mov eax, dword ptr fs:[00000030h]5_2_016F6A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01714A35 mov eax, dword ptr fs:[00000030h]5_2_01714A35
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01714A35 mov eax, dword ptr fs:[00000030h]5_2_01714A35
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172CA38 mov eax, dword ptr fs:[00000030h]5_2_0172CA38
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172CA24 mov eax, dword ptr fs:[00000030h]5_2_0172CA24
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171EA2E mov eax, dword ptr fs:[00000030h]5_2_0171EA2E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0177CA11 mov eax, dword ptr fs:[00000030h]5_2_0177CA11
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172AAEE mov eax, dword ptr fs:[00000030h]5_2_0172AAEE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172AAEE mov eax, dword ptr fs:[00000030h]5_2_0172AAEE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724AD0 mov eax, dword ptr fs:[00000030h]5_2_01724AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724AD0 mov eax, dword ptr fs:[00000030h]5_2_01724AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01746ACC mov eax, dword ptr fs:[00000030h]5_2_01746ACC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01746ACC mov eax, dword ptr fs:[00000030h]5_2_01746ACC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01746ACC mov eax, dword ptr fs:[00000030h]5_2_01746ACC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F0AD0 mov eax, dword ptr fs:[00000030h]5_2_016F0AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8AA0 mov eax, dword ptr fs:[00000030h]5_2_016F8AA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016F8AA0 mov eax, dword ptr fs:[00000030h]5_2_016F8AA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01746AA4 mov eax, dword ptr fs:[00000030h]5_2_01746AA4
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Users\user\Desktop\PO 2025918 pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2392521464.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.2dd459c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.39e7590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.52a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.39e7590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.52a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.2dd459c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.2bb276c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2202698189.00000000052A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2186312611.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2179932515.0000000002A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2392521464.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.2dd459c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.39e7590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.52a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.39e7590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.52a0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.2dd459c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.2bb276c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2202698189.00000000052A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2186312611.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2179932515.0000000002A02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping2
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials12
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Timestomp                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1590629 Sample: PO 2025918 pdf.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 92 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected PureLog Stealer 2->22 24 Yara detected FormBook 2->24 26 5 other signatures 2->26 7 PO 2025918 pdf.exe 4 2->7         started        process3 file4 18 C:\Users\user\...\PO 2025918 pdf.exe.log, ASCII 7->18 dropped 28 Adds a directory exclusion to Windows Defender 7->28 11 powershell.exe 23 7->11         started        14 PO 2025918 pdf.exe 7->14         started        signatures5 process6 signatures7 30 Loading BitLocker PowerShell Module 11->30 16 conhost.exe 11->16         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO 2025918 pdf.exe33%VirustotalBrowse
                      PO 2025918 pdf.exe34%ReversingLabsWin32.Virus.Virut
                      PO 2025918 pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.210.172
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO 2025918 pdf.exe, 00000000.00000002.2179932515.00000000029F7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/DataSet1.xsdPO 2025918 pdf.exefalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1590629
                            Start date and time:2025-01-14 11:53:11 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 9s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:PO 2025918 pdf.exe
                            Detection:MAL
                            Classification:mal92.troj.evad.winEXE@6/6@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 96%
                            • Number of executed functions: 29
                            • Number of non-executed functions: 266
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 40.126.32.140, 40.126.32.72, 20.190.160.14, 40.126.32.138, 40.126.32.74, 40.126.32.134, 20.190.160.17, 20.190.160.22, 2.23.242.162, 13.107.246.45, 4.245.163.56, 23.1.237.91, 2.23.227.208
                            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            05:54:15API Interceptor4x Sleep call for process: PO 2025918 pdf.exe modified
                            05:54:18API Interceptor14x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            bg.microsoft.map.fastly.netNew purchase order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 199.232.210.172
                            35491083472324549.jsGet hashmaliciousStrela DownloaderBrowse
                            • 199.232.214.172
                            28236151432955330765.jsGet hashmaliciousStrela DownloaderBrowse
                            • 199.232.210.172
                            ProductBOMpq_v4.xlsmGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            17201670993971103.jsGet hashmaliciousStrela DownloaderBrowse
                            • 199.232.214.172
                            Scanned-IMGS_from NomanGroup IDT.scr.exeGet hashmaliciousFormBookBrowse
                            • 199.232.210.172
                            12.exeGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            UoEDaAjHGW.exeGet hashmaliciousPureLog Stealer, QuasarBrowse
                            • 199.232.210.172
                            PRODUKTY.EXE.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                            • 199.232.210.172
                            2330118683179179335.jsGet hashmaliciousStrela DownloaderBrowse
                            • 199.232.210.172

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 2025918 pdf.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\PO 2025918 pdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1172
                            Entropy (8bit):5.355750237007024
                            Encrypted:false
                            SSDEEP:24:3SWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NKIl9iagu:CWSU4xympjmZ9tz4RIoUl8NDv
                            MD5:80E5C4F5D2B7365D0B6200D13A4D7971
                            SHA1:45C872CD28C4411D0308AD0A38D7A8E7DCA1D3C6
                            SHA-256:B8EDDE3D2C675B7DA9435DCA5195932FCB51FC19456F99C86E61DB8C0710304F
                            SHA-512:4FB358DD9DE97EDED4A12DC125B2939CDBF9929D0A70C409CB4D1B4A4DDCA67A5895342389261C3100D377A14755B2EAC2FBC0EAD90653210D01D4897D294E91
                            Malicious:false
                            Reputation:low
                            Preview:@...e.................................&..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0a3l5vqq.t0t.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pboaewf.off.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2cioplv.oug.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdew1dps.2z3.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.753200255509009
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:PO 2025918 pdf.exe
                            File size:765'952 bytes
                            MD5:625d2fae7b900a58c7e9daed1f85cab3
                            SHA1:6c61eb8e5851778e4ed57044c50442dae2b875bd
                            SHA256:d1a82af2d052117e637c17671568650659a93541083f107e4d1b2d357935928d
                            SHA512:19ef418977acc405e15d90bcd2df26e2166824b7e142c8672acdc8f12ab0e50669aac0002c54587353fe1a92fcdbe5c7716191e5f4d9ed0726f4780f65253ffc
                            SSDEEP:12288:wYRxA4Y5lyA/BxSPCj6HGXjxU70KoJZTb0r4d2SS8Kgqy4wenbJuuCkq64Qxhrok:nRnSWw9Ld2SA3n940hERompRZzK
                            TLSH:30F40258632DE907C0621BB44932D3F823B59E89A621C7139BED3EFFBC76B462914351
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4bc416
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x8AEDD8A2 [Wed Nov 11 08:28:18 2043 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            call far 0000h : 003E9999h
                            aas
                            int CCh
                            dec esp
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc3c30x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x5e0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xbabf40x70.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xba42c0xba600df9384085315899193145442a4f25db6False0.9214387889839034data7.75981250034453IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xbe0000x5e00x60047901c52e8fbf9c7b3da43929a8006b8False0.4329427083333333data4.167562861508636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xc00000xc0x200170dcdc63460337693c79a488cb7d376False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xbe0900x350data0.4257075471698113
                            RT_MANIFEST0xbe3f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 14, 2025 11:54:14.201073885 CET1.1.1.1192.168.2.50x78f5No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            Jan 14, 2025 11:54:14.201073885 CET1.1.1.1192.168.2.50x78f5No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:05:54:15
                            Start date:14/01/2025
                            Path:C:\Users\user\Desktop\PO 2025918 pdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\PO 2025918 pdf.exe"
                            Imagebase:0x610000
                            File size:765'952 bytes
                            MD5 hash:625D2FAE7B900A58C7E9DAED1F85CAB3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2202698189.00000000052A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2186312611.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2179932515.0000000002A02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:05:54:16
                            Start date:14/01/2025
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                            Imagebase:0xd70000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:05:54:16
                            Start date:14/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:05:54:16
                            Start date:14/01/2025
                            Path:C:\Users\user\Desktop\PO 2025918 pdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\PO 2025918 pdf.exe"
                            Imagebase:0xc70000
                            File size:765'952 bytes
                            MD5 hash:625D2FAE7B900A58C7E9DAED1F85CAB3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2392521464.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:4.1%
                              Total number of Nodes:74
                              Total number of Limit Nodes:8
                              execution_graph 15516 27dd378 15517 27dd3be GetCurrentProcess 15516->15517 15519 27dd410 GetCurrentThread 15517->15519 15522 27dd409 15517->15522 15520 27dd44d GetCurrentProcess 15519->15520 15521 27dd446 15519->15521 15523 27dd483 15520->15523 15521->15520 15522->15519 15524 27dd4ab GetCurrentThreadId 15523->15524 15525 27dd4dc 15524->15525 15526 27d4668 15527 27d467a 15526->15527 15528 27d4686 15527->15528 15532 27d4778 15527->15532 15537 27d4204 15528->15537 15530 27d46a5 15533 27d479d 15532->15533 15541 27d4888 15533->15541 15545 27d4878 15533->15545 15538 27d420f 15537->15538 15553 27d5cc4 15538->15553 15540 27d7083 15540->15530 15543 27d48af 15541->15543 15542 27d498c 15543->15542 15549 27d44f0 15543->15549 15547 27d48af 15545->15547 15546 27d498c 15547->15546 15548 27d44f0 CreateActCtxA 15547->15548 15548->15546 15550 27d5918 CreateActCtxA 15549->15550 15552 27d59db 15550->15552 15554 27d5ccf 15553->15554 15557 27d5ce4 15554->15557 15556 27d7315 15556->15540 15558 27d5cef 15557->15558 15561 27d5d14 15558->15561 15560 27d73fa 15560->15556 15562 27d5d1f 15561->15562 15565 27d5d44 15562->15565 15564 27d74ed 15564->15560 15566 27d5d4f 15565->15566 15568 27d87eb 15566->15568 15571 27dae99 15566->15571 15567 27d8829 15567->15564 15568->15567 15575 27dcf80 15568->15575 15581 27daec1 15571->15581 15585 27daed0 15571->15585 15572 27daeae 15572->15568 15576 27dcf35 15575->15576 15577 27dcf86 15575->15577 15576->15567 15578 27dcfd5 15577->15578 15593 27dd260 15577->15593 15597 27dd250 15577->15597 15578->15567 15582 27daed0 15581->15582 15588 27db3b8 15582->15588 15583 27daedf 15583->15572 15587 27db3b8 GetModuleHandleW 15585->15587 15586 27daedf 15586->15572 15587->15586 15589 27db404 15588->15589 15590 27db3e1 15588->15590 15589->15583 15590->15589 15591 27db608 GetModuleHandleW 15590->15591 15592 27db635 15591->15592 15592->15583 15595 27dd26d 15593->15595 15594 27dd2a7 15594->15578 15595->15594 15601 27db2e8 15595->15601 15599 27dd26d 15597->15599 15598 27dd2a7 15598->15578 15599->15598 15600 27db2e8 GetModuleHandleW 15599->15600 15600->15598 15602 27db2f3 15601->15602 15604 27ddfc0 15602->15604 15605 27dd60c 15602->15605 15604->15604 15606 27dd617 15605->15606 15607 27d5d44 GetModuleHandleW 15606->15607 15608 27de02f 15606->15608 15607->15608 15608->15604 15609 27dd9c8 DuplicateHandle 15610 27dda5e 15609->15610

                              Executed Functions

                              Function 027D7018 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 478 27d7018-27d704a 480 27d704c 478->480 481 27d7051-27d7088 call 27d5cc4 call 27d5cd4 478->481 480->481 485 27d708d-27d70be 481->485 486 27d7101-27d7104 485->486 487 27d70c0-27d70fe 485->487 489 27d710d-27d7136 486->489 487->486 492 27d7138-27d7170 489->492 493 27d7173-27d724a call 27d01e0 489->493 492->493 510 27d7254-27d7263 493->510 511 27d726b-27d727b 510->511
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Pp]q
                              • API String ID: 0-2528107101
                              • Opcode ID: b5099cd1c6226e42a586b45d1ed65d1fd3d608fb278cbc4dca38119cd1a1e956
                              • Instruction ID: 6021d7d08afc5cf7fa18309f63bd0f4f85fbf1097aa54a52860864154e74748e
                              • Opcode Fuzzy Hash: b5099cd1c6226e42a586b45d1ed65d1fd3d608fb278cbc4dca38119cd1a1e956
                              • Instruction Fuzzy Hash: 74819274E002099FDB15DFA9D984ADDBBF6FF88300F20852AE419AB365DB346946CF50
                              Function 027D4204 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 512 27d4204-27d704a 515 27d704c 512->515 516 27d7051-27d70be call 27d5cc4 call 27d5cd4 512->516 515->516 521 27d7101-27d7136 516->521 522 27d70c0-27d70fe 516->522 527 27d7138-27d7170 521->527 528 27d7173-27d7263 call 27d01e0 521->528 522->521 527->528 546 27d726b-27d727b 528->546
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Pp]q
                              • API String ID: 0-2528107101
                              • Opcode ID: dad8061f2e6107a4c2fe3db485055bfa7191f4cb4be62c5e682ca80ba8c5ec71
                              • Instruction ID: 89276c5f19e5008a90ea8acfe15d5ac71a20021aa89e679ceccf717fd85363e4
                              • Opcode Fuzzy Hash: dad8061f2e6107a4c2fe3db485055bfa7191f4cb4be62c5e682ca80ba8c5ec71
                              • Instruction Fuzzy Hash: 7F817174E002099FDB15DFA9D984ADDBBF6FF88300F208529E819AB369DB346945CF50
                              Function 027DD369 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 294 27dd369-27dd407 GetCurrentProcess 298 27dd409-27dd40f 294->298 299 27dd410-27dd444 GetCurrentThread 294->299 298->299 300 27dd44d-27dd481 GetCurrentProcess 299->300 301 27dd446-27dd44c 299->301 303 27dd48a-27dd4a5 call 27dd547 300->303 304 27dd483-27dd489 300->304 301->300 307 27dd4ab-27dd4da GetCurrentThreadId 303->307 304->303 308 27dd4dc-27dd4e2 307->308 309 27dd4e3-27dd545 307->309 308->309
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 027DD3F6
                              • GetCurrentThread.KERNEL32 ref: 027DD433
                              • GetCurrentProcess.KERNEL32 ref: 027DD470
                              • GetCurrentThreadId.KERNEL32 ref: 027DD4C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: cebd613baaeb9d010ea39e1ef05e720d7caefce797992b06c6a360554e8442f4
                              • Instruction ID: 56b97104c8d1091ed1b60573031f5af4df620b48ae4c8d1c8d7c5628ecc4018a
                              • Opcode Fuzzy Hash: cebd613baaeb9d010ea39e1ef05e720d7caefce797992b06c6a360554e8442f4
                              • Instruction Fuzzy Hash: CF5167B19003498FDB18DFAAD548BAEBBF1FF48304F20C059E409A7261D739A944CF66
                              Function 027DD378 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 316 27dd378-27dd407 GetCurrentProcess 320 27dd409-27dd40f 316->320 321 27dd410-27dd444 GetCurrentThread 316->321 320->321 322 27dd44d-27dd481 GetCurrentProcess 321->322 323 27dd446-27dd44c 321->323 325 27dd48a-27dd4a5 call 27dd547 322->325 326 27dd483-27dd489 322->326 323->322 329 27dd4ab-27dd4da GetCurrentThreadId 325->329 326->325 330 27dd4dc-27dd4e2 329->330 331 27dd4e3-27dd545 329->331 330->331
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 027DD3F6
                              • GetCurrentThread.KERNEL32 ref: 027DD433
                              • GetCurrentProcess.KERNEL32 ref: 027DD470
                              • GetCurrentThreadId.KERNEL32 ref: 027DD4C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 1683eb6dd9e01c5ab4640ab1c450a2b1701208c405a0eef9eb145d10efc064d0
                              • Instruction ID: 69d1e6e9d24af90508869679c107a358bc69d9c703a002e5d2a74e3a6ce695df
                              • Opcode Fuzzy Hash: 1683eb6dd9e01c5ab4640ab1c450a2b1701208c405a0eef9eb145d10efc064d0
                              • Instruction Fuzzy Hash: 8E5146B19003098FDB14DFAAD548BAEBBF5FF48314F20C459E409A7260D779A944CB66
                              Function 027DB3B8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 360 27db3b8-27db3df 361 27db40b-27db40f 360->361 362 27db3e1-27db3ee call 27d9f4c 360->362 364 27db411-27db41b 361->364 365 27db423-27db464 361->365 367 27db404 362->367 368 27db3f0 362->368 364->365 371 27db466-27db46e 365->371 372 27db471-27db47f 365->372 367->361 415 27db3f6 call 27db659 368->415 416 27db3f6 call 27db668 368->416 371->372 373 27db481-27db486 372->373 374 27db4a3-27db4a5 372->374 376 27db488-27db48f call 27d9f58 373->376 377 27db491 373->377 379 27db4a8-27db4af 374->379 375 27db3fc-27db3fe 375->367 378 27db540-27db600 375->378 381 27db493-27db4a1 376->381 377->381 410 27db608-27db633 GetModuleHandleW 378->410 411 27db602-27db605 378->411 382 27db4bc-27db4c3 379->382 383 27db4b1-27db4b9 379->383 381->379 385 27db4c5-27db4cd 382->385 386 27db4d0-27db4d9 call 27d9f68 382->386 383->382 385->386 391 27db4db-27db4e3 386->391 392 27db4e6-27db4eb 386->392 391->392 393 27db4ed-27db4f4 392->393 394 27db509-27db516 392->394 393->394 396 27db4f6-27db506 call 27d9f78 call 27dafbc 393->396 401 27db539-27db53f 394->401 402 27db518-27db536 394->402 396->394 402->401 412 27db63c-27db650 410->412 413 27db635-27db63b 410->413 411->410 413->412 415->375 416->375
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 027DB626
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 541662c1cbbf34e02b454531bf85e16ad8857be7bc20577e6cfb092a6a8c067f
                              • Instruction ID: e494064ad0c0995f6a0e37057617179516c7a2eb2455a0a624fbbf04fb574067
                              • Opcode Fuzzy Hash: 541662c1cbbf34e02b454531bf85e16ad8857be7bc20577e6cfb092a6a8c067f
                              • Instruction Fuzzy Hash: 83815770A00B458FD724DF29D54475ABBF1FF88308F008A6EE48ADBA51DB34E905CB91
                              Function 027D590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 417 27d590c-27d598c 418 27d598f-27d59d9 CreateActCtxA 417->418 420 27d59db-27d59e1 418->420 421 27d59e2-27d5a3c 418->421 420->421 428 27d5a3e-27d5a41 421->428 429 27d5a4b-27d5a4f 421->429 428->429 430 27d5a51-27d5a5d 429->430 431 27d5a60 429->431 430->431 433 27d5a61 431->433 433->433
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 027D59C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: b036ac3bbd5e8e401c238e7bad325a97062ce98bdea47d9ab222c087d64cdd89
                              • Instruction ID: c6e5c793d21f1071b5c4c81b6503d3181047c03b880418b4619e6bf9c2efd15c
                              • Opcode Fuzzy Hash: b036ac3bbd5e8e401c238e7bad325a97062ce98bdea47d9ab222c087d64cdd89
                              • Instruction Fuzzy Hash: 0F4104B0C00719CFDB24DFAAC8847DDBBB5BF49704F60806AD418AB255DB75694ACF90
                              Function 027D44F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 434 27d44f0-27d59d9 CreateActCtxA 438 27d59db-27d59e1 434->438 439 27d59e2-27d5a3c 434->439 438->439 446 27d5a3e-27d5a41 439->446 447 27d5a4b-27d5a4f 439->447 446->447 448 27d5a51-27d5a5d 447->448 449 27d5a60 447->449 448->449 451 27d5a61 449->451 451->451
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 027D59C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 30cfc67934899016fa6aaa641ecd8f2f725204182660254ee06b90d57eb42cb9
                              • Instruction ID: 21a5c2ce5fc6ef1a2aff7c5b040897487470983628540750e8b36f9f9cf55a59
                              • Opcode Fuzzy Hash: 30cfc67934899016fa6aaa641ecd8f2f725204182660254ee06b90d57eb42cb9
                              • Instruction Fuzzy Hash: EC41E4B0C0071DCBDB24DFAAC884B9DBBF5BF49304F60806AD419AB255DB75A945CF90
                              Function 027D5A84 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 452 27d5a84-27d5a90 453 27d5a42-27d5a47 452->453 454 27d5a92-27d5b14 452->454 457 27d5a4b-27d5a4f 453->457 458 27d5a51-27d5a5d 457->458 459 27d5a60 457->459 458->459 461 27d5a61 459->461 461->461
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 268dc3415117d697dc1efcdfa49c1c879cfc62146b0265a3dcea84e6c6e859ed
                              • Instruction ID: 9b1f7b8a16fc6c2a5043074a58f538d58c2a9a5cc23d6aa97ee3f55796a09ca5
                              • Opcode Fuzzy Hash: 268dc3415117d697dc1efcdfa49c1c879cfc62146b0265a3dcea84e6c6e859ed
                              • Instruction Fuzzy Hash: D531BEB0804659CFEB11DFE9C8947EDBFF1EF56308F94418AC005AB255C77AA94ACB01
                              Function 027DD9C1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 462 27dd9c1-27dda5c DuplicateHandle 463 27dda5e-27dda64 462->463 464 27dda65-27dda82 462->464 463->464
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DDA4F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 6e50e6c2874254c5ebb9584592b172f72cd8688e2f209a0507946e59109f3fa4
                              • Instruction ID: d0d8ed0e2c8a4feb3f0fd458a81db02a5ee7dbc4a0710950b53ee11aecbc460e
                              • Opcode Fuzzy Hash: 6e50e6c2874254c5ebb9584592b172f72cd8688e2f209a0507946e59109f3fa4
                              • Instruction Fuzzy Hash: 5921E2B6D002089FDB10CFAAD584AEEBFF5FB48314F14841AE918A3310D378A950CFA5
                              Function 027DD9C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 467 27dd9c8-27dda5c DuplicateHandle 468 27dda5e-27dda64 467->468 469 27dda65-27dda82 467->469 468->469
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DDA4F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: f51a50e00ec7febf14dfa447b193b33f5055801ac5cebcf58c056e492857670e
                              • Instruction ID: 4f08b4796f092229eae5b48d67386b61c5a8ab1326cd48d2bff3d068f2a20d06
                              • Opcode Fuzzy Hash: f51a50e00ec7febf14dfa447b193b33f5055801ac5cebcf58c056e492857670e
                              • Instruction Fuzzy Hash: 4C21C4B59002489FDB10CF9AD584ADEBBF9FB48310F14841AE918A3350D379A954CFA5
                              Function 027DB5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 472 27db5c0-27db600 473 27db608-27db633 GetModuleHandleW 472->473 474 27db602-27db605 472->474 475 27db63c-27db650 473->475 476 27db635-27db63b 473->476 474->473 476->475
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 027DB626
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 484b3f935559f7c074ae4984b79b3bb29f8425c6d7b37f979e5f1a177ca05ff9
                              • Instruction ID: 6fa5face9b8395cfd8884314f924be01415cf0c7597c57f2eb35e03450c61772
                              • Opcode Fuzzy Hash: 484b3f935559f7c074ae4984b79b3bb29f8425c6d7b37f979e5f1a177ca05ff9
                              • Instruction Fuzzy Hash: 12110FB6C007498FDB10DF9AD444A9EFBF4AF88314F11842AD419B7200C379A545CFA1
                              Function 00FCD1FC Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179051410.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fcd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 52a4b446ab7793ad83b1b4006fb9a19de67f2fa7c2621514781757e64b1d6c46
                              • Instruction ID: 536165b4b39319e2552c2f66a00afe7d26462c44761c2137ebee4c607a721683
                              • Opcode Fuzzy Hash: 52a4b446ab7793ad83b1b4006fb9a19de67f2fa7c2621514781757e64b1d6c46
                              • Instruction Fuzzy Hash: B321F172504201EFCB05DF54DAC1F6ABF65FB88320F20C57DE9090A256C33AD816EBA2
                              Function 00FCD3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179051410.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fcd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 634cf738392d8a9097655f73f75526b40a06e53f6b44e577b346afd4bf392d0c
                              • Instruction ID: 6add28dfe875c0e03efb2ee8c74f60144ab8de092de6993a63cf67ede2353e99
                              • Opcode Fuzzy Hash: 634cf738392d8a9097655f73f75526b40a06e53f6b44e577b346afd4bf392d0c
                              • Instruction Fuzzy Hash: A2210672500205DFDB09DF14DAC1F2ABF65FB98324F20C57DDA090B256C33AE856E6A2
                              Function 00FDD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179199540.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fdd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c64e0bb18730f3c52773eb53189593f0b68861d6493c2dd473df686c3d68cd0b
                              • Instruction ID: eef91c83cdda4e14faa67ce0679bfd3a91636caa984bd6ea3e7b0a04916b120a
                              • Opcode Fuzzy Hash: c64e0bb18730f3c52773eb53189593f0b68861d6493c2dd473df686c3d68cd0b
                              • Instruction Fuzzy Hash: 3321F571504204DFCB14DF24D988B16BF66FBC8324F28C56AD90A4B35AC33AD807EA61
                              Function 00FDD1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179199540.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fdd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cff5b601a86772cd0560075ab68efa77e80ed9db3abee15d80c47b741238964
                              • Instruction ID: eff82fcee295ede17a41f11282c48d17f84cf447489066b8970369e560a1c1d6
                              • Opcode Fuzzy Hash: 1cff5b601a86772cd0560075ab68efa77e80ed9db3abee15d80c47b741238964
                              • Instruction Fuzzy Hash: B1210771944204EFDB05DF54D9C0F26BB66FB84324F28C56ED9494B356C33AD806EA61
                              Function 00FDD005 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179199540.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fdd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c28ef006d981b9c781a5faa57dcae31b6a7d3ac5fa15bd94c84c8625b1987734
                              • Instruction ID: c5a96b13593c327a4c6245d6f40abeb0d36f327d9c363108ca89847426259bf9
                              • Opcode Fuzzy Hash: c28ef006d981b9c781a5faa57dcae31b6a7d3ac5fa15bd94c84c8625b1987734
                              • Instruction Fuzzy Hash: B62183755093808FC712CF24D594715BF71EB46314F28C5EBD8498B6A7C33A980ADB62
                              Function 00FCD1F7 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179051410.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fcd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                              • Instruction ID: ae73b03abcf8d065926dad88a4fc0da433e80cd0981d9b871053f6a5c944d118
                              • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                              • Instruction Fuzzy Hash: 9821D276804240DFCB06CF00D9C4B5ABF71FB84320F24C5A9DD090B256C336D416DBA1
                              Function 00FCD3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179051410.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fcd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                              • Instruction ID: f1ef85816fe0c2154fdd429e26af45bf9b5440374b951660cdd9075077b53076
                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                              • Instruction Fuzzy Hash: 38110672804240DFCB06CF00D6C4B1ABF71FB94324F24C6ADD9090B256C33AD45ADBA1
                              Function 00FDD1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179199540.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fdd000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction ID: 52a111ed4b3280ca75896b010a899484b64bc377fa0f539a14dfedbf25044ccc
                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction Fuzzy Hash: 27118E75904240DFDB16CF14D9C4B15BB72FB84324F28C6AAD8494B756C33AD84ADB61

                              Non-executed Functions

                              Function 027DD8EC Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2179431556.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_27d0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2da97b41fd83a004df1e20baf8c5b064ecda0257d323785d1d2e0774b750f86
                              • Instruction ID: 50e96075eec0f3658818bba34381e47aa1e30197f20fd53938a42d3b05367b01
                              • Opcode Fuzzy Hash: e2da97b41fd83a004df1e20baf8c5b064ecda0257d323785d1d2e0774b750f86
                              • Instruction Fuzzy Hash: A8A18032E002199FCF16DFB4C8445AEB7B2FF85304B15856AE806BB265DB71E956CF40

                              Execution Graph

                              Execution Coverage:0.8%
                              Dynamic/Decrypted Code Coverage:5.7%
                              Signature Coverage:5.7%
                              Total number of Nodes:106
                              Total number of Limit Nodes:9
                              execution_graph 95159 42bfc3 95160 42bfe0 95159->95160 95163 1732df0 LdrInitializeThunk 95160->95163 95161 42c008 95163->95161 95164 42fb03 95165 42fb13 95164->95165 95166 42fb19 95164->95166 95169 42eb43 95166->95169 95168 42fb3f 95172 42ccf3 95169->95172 95171 42eb5e 95171->95168 95173 42cd0d 95172->95173 95174 42cd1e RtlAllocateHeap 95173->95174 95174->95171 95175 425023 95176 42503c 95175->95176 95185 4289b3 95176->95185 95178 4250cc 95179 425087 95190 42ea63 95179->95190 95182 425059 95182->95178 95182->95179 95183 4250c7 95182->95183 95184 42ea63 RtlFreeHeap 95183->95184 95184->95178 95186 428a17 95185->95186 95187 428a4e 95186->95187 95193 424d33 95186->95193 95187->95182 95189 428a30 95189->95182 95208 42cd43 95190->95208 95192 425097 95194 424ccf 95193->95194 95195 424cd7 95194->95195 95196 424ceb 95194->95196 95202 424d78 95194->95202 95197 42c9c3 NtClose 95195->95197 95204 42c9c3 95196->95204 95200 424ce0 95197->95200 95199 424cf4 95207 42eb83 RtlAllocateHeap 95199->95207 95200->95189 95202->95189 95203 424cff 95203->95189 95205 42c9e0 95204->95205 95206 42c9f1 NtClose 95205->95206 95206->95199 95207->95203 95209 42cd5d 95208->95209 95210 42cd6e RtlFreeHeap 95209->95210 95210->95192 95276 42fc33 95277 42fba3 95276->95277 95278 42fc00 95277->95278 95279 42eb43 RtlAllocateHeap 95277->95279 95280 42fbdd 95279->95280 95281 42ea63 RtlFreeHeap 95280->95281 95281->95278 95282 413d53 95285 42cc53 95282->95285 95286 42cc70 95285->95286 95289 1732c70 LdrInitializeThunk 95286->95289 95287 413d72 95289->95287 95290 413f33 95294 413f53 95290->95294 95292 413fbc 95293 413fb2 95294->95292 95295 41b693 NtClose RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 95294->95295 95295->95293 95211 401a44 95212 401a53 95211->95212 95215 42ffd3 95212->95215 95218 42e623 95215->95218 95219 42e649 95218->95219 95228 407563 95219->95228 95221 42e65f 95227 401ac9 95221->95227 95231 41b383 95221->95231 95223 42e67e 95224 42cd93 ExitProcess 95223->95224 95225 42e693 95223->95225 95224->95225 95242 42cd93 95225->95242 95230 407570 95228->95230 95245 416713 95228->95245 95230->95221 95232 41b3af 95231->95232 95265 41b273 95232->95265 95235 41b3f4 95238 41b410 95235->95238 95240 42c9c3 NtClose 95235->95240 95236 41b3dc 95237 41b3e7 95236->95237 95239 42c9c3 NtClose 95236->95239 95237->95223 95238->95223 95239->95237 95241 41b406 95240->95241 95241->95223 95243 42cdad 95242->95243 95244 42cdbe ExitProcess 95243->95244 95244->95227 95246 41672a 95245->95246 95248 416743 95246->95248 95249 42d403 95246->95249 95248->95230 95250 42d41d 95249->95250 95251 4289b3 2 API calls 95250->95251 95253 42d443 95251->95253 95252 42d44c 95252->95248 95253->95252 95258 42c013 95253->95258 95256 42ea63 RtlFreeHeap 95257 42d4bf 95256->95257 95257->95248 95259 42c030 95258->95259 95262 1732c0a 95259->95262 95260 42c05c 95260->95256 95263 1732c11 95262->95263 95264 1732c1f LdrInitializeThunk 95262->95264 95263->95260 95264->95260 95266 41b28d 95265->95266 95270 41b369 95265->95270 95271 42c0b3 95266->95271 95269 42c9c3 NtClose 95269->95270 95270->95235 95270->95236 95272 42c0d0 95271->95272 95275 17335c0 LdrInitializeThunk 95272->95275 95273 41b35d 95273->95269 95275->95273

                              Executed Functions

                              Function 00417A63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 59 417a63-417a7f 60 417a87-417a8c 59->60 61 417a82 call 42f643 59->61 62 417a92-417aa0 call 42fc43 60->62 63 417a8e-417a91 60->63 61->60 66 417ab0-417ac1 call 42e0f3 62->66 67 417aa2-417aad call 42fee3 62->67 72 417ac3-417ad0 66->72 73 417ada-417add 66->73 67->66 74 417ad1-417ad7 LdrLoadDll 72->74 74->73
                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AD5
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID:
                              • API String ID: 2234796835-0
                              • Opcode ID: 796422a0e03da6e05e870b9df345f99345e8cc58a3a3a3b03bc6c72230115a90
                              • Instruction ID: 0800c33516af0022d0b17055a186c9f0e9460697c5db4936c8195cfb473c91ec
                              • Opcode Fuzzy Hash: 796422a0e03da6e05e870b9df345f99345e8cc58a3a3a3b03bc6c72230115a90
                              • Instruction Fuzzy Hash: E00175B1E0010DABDF10DBE1DC42FDEB378AF54308F4081A6E90897241F674EB588B55
                              Function 0042C9C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 85 42c9c3-42c9ff call 404993 call 42dbe3 NtClose
                              APIs
                              • NtClose.NTDLL(00424CF4,?,-665E6599,?,?,00424CF4,?,00009D57), ref: 0042C9FA
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: 9b38cc4083fcf95519bbd2f222b190f3b983931ae5abd193463e60ae3ae6f940
                              • Instruction ID: eb656e4eeb6cc65563beea3f5f9dfeb29813091517ec9c3f1aba9bd37f9daa79
                              • Opcode Fuzzy Hash: 9b38cc4083fcf95519bbd2f222b190f3b983931ae5abd193463e60ae3ae6f940
                              • Instruction Fuzzy Hash: 2CE04F756042147BD220AA6ADC41F9B775CDBC9714F508069FA0C67242C675791187B4
                              Function 01732DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 100 1732df0-1732dfc LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 8b38139f7dd0ca52afefdeaecfe02002cdaf108d71fbe367163d1a09f9621245
                              • Instruction ID: 241b5e28d1db50fe4ecacb613d39fc586e2fb66f865c04eca998702c93b0264b
                              • Opcode Fuzzy Hash: 8b38139f7dd0ca52afefdeaecfe02002cdaf108d71fbe367163d1a09f9621245
                              • Instruction Fuzzy Hash: 8090023130540813D21171984504707400997D0241F95C422A0424568DD7968B52A222
                              Function 01732C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 99 1732c70-1732c7c LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: e44cf641f2ce1e483c521d9dfe3b41cdb5a959be9d2ef43e1b4f3c3d19affb95
                              • Instruction ID: e9304fd3d3b27461b7f3afa31f81cdc7cbe6ec79fac2a3746a119138302a56a3
                              • Opcode Fuzzy Hash: e44cf641f2ce1e483c521d9dfe3b41cdb5a959be9d2ef43e1b4f3c3d19affb95
                              • Instruction Fuzzy Hash: 3690023130548C03D2107198840474A400597D0301F59C421A4424668DC7D58A917222
                              Function 017335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 101 17335c0-17335cc LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 472e36d67842cb028c69530f3f339f40b2a03c07f13d04d7d103383b9d16304f
                              • Instruction ID: e874e5bb6f6c741e8f70feb56f2cbe7cc4f5adbab63c6b67ddf6eb0037a2fc54
                              • Opcode Fuzzy Hash: 472e36d67842cb028c69530f3f339f40b2a03c07f13d04d7d103383b9d16304f
                              • Instruction Fuzzy Hash: 3990023170950803D20071984514706500597D0201F65C421A0424578DC7D58B5166A3
                              Function 00417AE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 417ae3-417aec 1 417ad1-417ad7 LdrLoadDll 0->1 2 417aee-417aef 0->2 5 417ada-417add 1->5 3 417af1-417af6 2->3 4 417a98-417aa0 2->4 6 417af8-417b08 3->6 7 417b0f 3->7 8 417ab0-417ac1 call 42e0f3 4->8 9 417aa2-417aa8 call 42fee3 4->9 6->7 10 417b11-417b29 7->10 8->5 17 417ac3-417ad0 8->17 15 417aad 9->15 10->10 14 417b2b-417b3b 10->14 15->8 17->1
                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AD5
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID: axD3
                              • API String ID: 2234796835-3556351365
                              • Opcode ID: 878dfedd390b4e169c5c909b9aebd42986a9202124793dd2abb74fc700858bd0
                              • Instruction ID: 5f15b57304db88241ac4cc0d6c6d2276f5506b99c897ca4869340483d7a91710
                              • Opcode Fuzzy Hash: 878dfedd390b4e169c5c909b9aebd42986a9202124793dd2abb74fc700858bd0
                              • Instruction Fuzzy Hash: 94118671A442066BE700CBA5CC42BDFB7B8DF04768F14822AED2597281E374EA46C795
                              Function 0042CCF3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 75 42ccf3-42cd34 call 404993 call 42dbe3 RtlAllocateHeap
                              APIs
                              • RtlAllocateHeap.NTDLL(00000104,?,00424CFF,?,?,00424CFF,?,00000104,?,00009D57), ref: 0042CD2F
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 8af235827bdae546ae595d1eb37e2a3b6d82698474d1be62dc12886f45d2914b
                              • Instruction ID: cb442fef8ab787463d58d4e17d22a99d0027002ea8d48f12f6d2fc59108ae3c9
                              • Opcode Fuzzy Hash: 8af235827bdae546ae595d1eb37e2a3b6d82698474d1be62dc12886f45d2914b
                              • Instruction Fuzzy Hash: 9FE06DB56042047BD620EF59EC41E9B77ACDFC8710F004019FA08A7241C675BD11CBB8
                              Function 0042CD43 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 80 42cd43-42cd84 call 404993 call 42dbe3 RtlFreeHeap
                              APIs
                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,F845C700,00000007,00000000,00000004,00000000,004172CE,000000F4), ref: 0042CD7F
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap
                              • String ID:
                              • API String ID: 3298025750-0
                              • Opcode ID: dab1178799a105d25c6e3316018af06c701a3083eb78f3c61f33bb5845b2359f
                              • Instruction ID: 7395edaf297d5e7ca3aa9e3b0020c32f778f50e7afa72829ba8406197be42610
                              • Opcode Fuzzy Hash: dab1178799a105d25c6e3316018af06c701a3083eb78f3c61f33bb5845b2359f
                              • Instruction Fuzzy Hash: 2DE06DB66083047BD610EF59DC41F9B37ACDFC8710F004019FA08A7241C675B9108BB8
                              Function 0042CD93 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 90 42cd93-42cdcc call 404993 call 42dbe3 ExitProcess
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: 8b44ef5fd1ac1b24815c7711b62f7492f91eceab24c3cb0b3cc850fa7ca7bbda
                              • Instruction ID: e9a4047e2e6157e7cf64b94a01f01a68d25e3d9aa703a6ddb621b4b25ad1c7a6
                              • Opcode Fuzzy Hash: 8b44ef5fd1ac1b24815c7711b62f7492f91eceab24c3cb0b3cc850fa7ca7bbda
                              • Instruction Fuzzy Hash: 8AE04F752002147BC520AA5ADC01F9B775CDFC5714F40402AFA08AB242C670B90087B5
                              Function 01732C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 95 1732c0a-1732c0f 96 1732c11-1732c18 95->96 97 1732c1f-1732c26 LdrInitializeThunk 95->97
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 1fe22749b42541f7743aea3686f67b2e27142dd1848421957dec3d080b1e2719
                              • Instruction ID: 198a11d1ac590dde7fbd34f8dd3b371528311f32af989f5da8fdefbc5d9500a5
                              • Opcode Fuzzy Hash: 1fe22749b42541f7743aea3686f67b2e27142dd1848421957dec3d080b1e2719
                              • Instruction Fuzzy Hash: 1EB09B71A055C5C6DB11F7A44608717B90077D0701F15C071D2030651F4778D1D1E276

                              Non-executed Functions

                              Function 01772349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-2160512332
                              • Opcode ID: 36f08d76a292c47ae36fd4011f5aac7c76fa80348381e7e9aab3599b0bb3ec64
                              • Instruction ID: d280fa8421f02fc59fc0aa51332ffbca49cd5c0c418a85c754f3e67307cfec84
                              • Opcode Fuzzy Hash: 36f08d76a292c47ae36fd4011f5aac7c76fa80348381e7e9aab3599b0bb3ec64
                              • Instruction Fuzzy Hash: FF92A071604342AFEB21DF28C844B6BF7E9BB88754F04492DFAA5D7252D770E844CB92
                              Function 01728620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                              Download Yara Rule
                              Strings
                              • double initialized or corrupted critical section, xrefs: 01765508
                              • Critical section address, xrefs: 01765425, 017654BC, 01765534
                              • Address of the debug info found in the active list., xrefs: 017654AE, 017654FA
                              • Critical section debug info address, xrefs: 0176541F, 0176552E
                              • Critical section address., xrefs: 01765502
                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0176540A, 01765496, 01765519
                              • Invalid debug info address of this critical section, xrefs: 017654B6
                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017654E2
                              • undeleted critical section in freed memory, xrefs: 0176542B
                              • Thread identifier, xrefs: 0176553A
                              • Thread is in a state in which it cannot own a critical section, xrefs: 01765543
                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017654CE
                              • corrupted critical section, xrefs: 017654C2
                              • 8, xrefs: 017652E3
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                              • API String ID: 0-2368682639
                              • Opcode ID: 5be892da9b38f2e032162fc6ebbeb60f9247521d19a1db6a79892ad7db2039fd
                              • Instruction ID: 1b2222afa5a66da22aa559bb3a4ea6f19383d8581dea3cf6c05f86ec797a1f09
                              • Opcode Fuzzy Hash: 5be892da9b38f2e032162fc6ebbeb60f9247521d19a1db6a79892ad7db2039fd
                              • Instruction Fuzzy Hash: CB819AB1A01358EFDB20CF9ACC49BAEFBF9AB48B14F204159F909B7241C775A945CB50
                              Function 017229F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                              Download Yara Rule
                              Strings
                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01762602
                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0176261F
                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017625EB
                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01762412
                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01762624
                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01762409
                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017624C0
                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017622E4
                              • @, xrefs: 0176259B
                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01762506
                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01762498
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                              • API String ID: 0-4009184096
                              • Opcode ID: 5f424d379682393a24051b90ca26c7cabc17935e61bff5af778b5e591c683701
                              • Instruction ID: e037b5da300b719a657b4286c7c63dd5f24a6500957c0c6c94be67613aa33f9e
                              • Opcode Fuzzy Hash: 5f424d379682393a24051b90ca26c7cabc17935e61bff5af778b5e591c683701
                              • Instruction Fuzzy Hash: 7D0260B1D042299BDB71DB54CD84BEAF7B8AB54304F4041DAEA09A7242EB309FC5CF59
                              Function 01798B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                              • API String ID: 0-2515994595
                              • Opcode ID: 30b35645e67da624c17e4fb9170bcc9a7e322ae8f77ad67b0ca104ee6114b6ac
                              • Instruction ID: 774dc64b8b61ca341ac8083e64b809717a2d277a271bdce9ff3da0032dc1d4f1
                              • Opcode Fuzzy Hash: 30b35645e67da624c17e4fb9170bcc9a7e322ae8f77ad67b0ca104ee6114b6ac
                              • Instruction Fuzzy Hash: 7C5101711053499BCB29CF289844BABFBE8EF9A600F14492DEA59C3241E770D548CB93
                              Function 017A0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                              • API String ID: 0-1700792311
                              • Opcode ID: f7ecd30b3a12efb7e29923437c0c6c7b232cadd5d53d0532fae43f1cc8dcd20c
                              • Instruction ID: 0c93fb793054538b30495c38c1caa5f2462ca95fa1b0b57f00f8f4d551f37cc9
                              • Opcode Fuzzy Hash: f7ecd30b3a12efb7e29923437c0c6c7b232cadd5d53d0532fae43f1cc8dcd20c
                              • Instruction Fuzzy Hash: 20D1EF31600286DFDB22DF68C844AA9FBF2FF8A714F588A4DF4469B252C734E940CB54
                              Function 017789B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                              Download Yara Rule
                              Strings
                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01778A3D
                              • AVRF: -*- final list of providers -*- , xrefs: 01778B8F
                              • VerifierDebug, xrefs: 01778CA5
                              • VerifierDlls, xrefs: 01778CBD
                              • HandleTraces, xrefs: 01778C8F
                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01778A67
                              • VerifierFlags, xrefs: 01778C50
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                              • API String ID: 0-3223716464
                              • Opcode ID: 6ade8bdeb9f185c8fe319018629949f092492bb2079b0d569813740bed1ad908
                              • Instruction ID: 589fd3e2d05dcf51d5e5a424920c05699137ef884f91392684d9b8a9d3514aa4
                              • Opcode Fuzzy Hash: 6ade8bdeb9f185c8fe319018629949f092492bb2079b0d569813740bed1ad908
                              • Instruction Fuzzy Hash: 7A9116B2A453169FDB21EF28CC88B2AFBE8AB58728F45455CFA416F254C7709D00C796
                              Function 017263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-792281065
                              • Opcode ID: dbee8f080aadc2274fc321f1a22abcaaa60ec9c33d7563130261529e827221d6
                              • Instruction ID: f7c9e46c4e23a0a5c6fdd9250fcf7cc441f544418df60ac522ba9fa54a95a033
                              • Opcode Fuzzy Hash: dbee8f080aadc2274fc321f1a22abcaaa60ec9c33d7563130261529e827221d6
                              • Instruction Fuzzy Hash: AB913970B00325DBDB35DF58D888BAAFBE5BB58B24F24406DFD026B285D7709942C790
                              Function 016E645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                              Download Yara Rule
                              Strings
                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01749A01
                              • apphelp.dll, xrefs: 016E6496
                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01749A2A
                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017499ED
                              • LdrpInitShimEngine, xrefs: 017499F4, 01749A07, 01749A30
                              • minkernel\ntdll\ldrinit.c, xrefs: 01749A11, 01749A3A
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-204845295
                              • Opcode ID: a85dbaca693cee3a38de59c70c3cb60561b2b7648dad29611728e308e61879b3
                              • Instruction ID: 33f741123175c6500443ebb32c167582ed183e96156010bca0992e4c5c205ca7
                              • Opcode Fuzzy Hash: a85dbaca693cee3a38de59c70c3cb60561b2b7648dad29611728e308e61879b3
                              • Instruction Fuzzy Hash: 8F51E3713483059FD721DF24CC95BABB7E8FB98658F00491DFA869B154D730EA04CB92
                              Function 01722674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                              Download Yara Rule
                              Strings
                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017621BF
                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01762178
                              • SXS: %s() passed the empty activation context, xrefs: 01762165
                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0176219F
                              • RtlGetAssemblyStorageRoot, xrefs: 01762160, 0176219A, 017621BA
                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01762180
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                              • API String ID: 0-861424205
                              • Opcode ID: 707ddd23b5cc6c6a1a4d2c8642b35878906563f75b23a7f634a4dad76639aafe
                              • Instruction ID: 5f5f8807aae7d976e3195f489124168f72f18f69f730e9851432bf808a15e875
                              • Opcode Fuzzy Hash: 707ddd23b5cc6c6a1a4d2c8642b35878906563f75b23a7f634a4dad76639aafe
                              • Instruction Fuzzy Hash: 63310536F44235BBEB219A998C45F6BFA68DB64A54F050069FF05BB242D270DE01C6A2
                              Function 0172C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                              Download Yara Rule
                              Strings
                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 017681E5
                              • LdrpInitializeImportRedirection, xrefs: 01768177, 017681EB
                              • Loading import redirection DLL: '%wZ', xrefs: 01768170
                              • LdrpInitializeProcess, xrefs: 0172C6C4
                              • minkernel\ntdll\ldrinit.c, xrefs: 0172C6C3
                              • minkernel\ntdll\ldrredirect.c, xrefs: 01768181, 017681F5
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                              • API String ID: 0-475462383
                              • Opcode ID: 2d77102b45d14a7b22713a9dfe4b7822845dc755e93244c782c496020d2acb12
                              • Instruction ID: 137aa08ca66ab467dad279ae29d16fed6718b9f1a7af1a927b5e96813f64eae8
                              • Opcode Fuzzy Hash: 2d77102b45d14a7b22713a9dfe4b7822845dc755e93244c782c496020d2acb12
                              • Instruction Fuzzy Hash: 1431E4B16443169BC324EF28DD4AE2AF7D4EF95B20F00055CF9856B299D620ED05C7A3
                              Function 0173096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01732DF0: LdrInitializeThunk.NTDLL ref: 01732DFA
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01730BA3
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01730BB6
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01730D60
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01730D74
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                              • String ID:
                              • API String ID: 1404860816-0
                              • Opcode ID: 9d1438a662f2dfa42904f7b863a7ad97c7aa641e77df6589a4473aaa8781ae0b
                              • Instruction ID: cbbcab4355fd8f15076df7dfec9d3c31e7068aaf8833c5f43f41232a397c123e
                              • Opcode Fuzzy Hash: 9d1438a662f2dfa42904f7b863a7ad97c7aa641e77df6589a4473aaa8781ae0b
                              • Instruction Fuzzy Hash: 67426D71900715DFDB21CF28C884BAAB7F5FF48314F1445A9E989EB246E770AA85CF60
                              Function 016FA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                              • API String ID: 0-379654539
                              • Opcode ID: 6d5df1832bdd4ef25c03ea500fd9aaa63ba485d555b739de774906b7285845ec
                              • Instruction ID: 6e13bf4f3608a1fac8454023d0574533662305fed955e8b0e97d5b59c71d1649
                              • Opcode Fuzzy Hash: 6d5df1832bdd4ef25c03ea500fd9aaa63ba485d555b739de774906b7285845ec
                              • Instruction Fuzzy Hash: 33C18C74108386CFD711CF98C844B6AB7E4BF84704F04896EFA998B352E774D94ACB56
                              Function 01728402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                              Download Yara Rule
                              Strings
                              • LdrpInitializeProcess, xrefs: 01728422
                              • @, xrefs: 01728591
                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0172855E
                              • minkernel\ntdll\ldrinit.c, xrefs: 01728421
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-1918872054
                              • Opcode ID: 481ec0e514ef1248359b621a4703795b2b7c5609b847846d94ff80f71cee4133
                              • Instruction ID: 9b1e4600e3fda18927e051f74b56fe761c67386e891cd0cacafcd5d3a3c9af8b
                              • Opcode Fuzzy Hash: 481ec0e514ef1248359b621a4703795b2b7c5609b847846d94ff80f71cee4133
                              • Instruction Fuzzy Hash: 8B91A971508355AFD722DF66CC44FABFAECFB88684F40092EFA8496146E331D9059B63
                              Function 0172273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                              Download Yara Rule
                              Strings
                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017621D9, 017622B1
                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017622B6
                              • SXS: %s() passed the empty activation context, xrefs: 017621DE
                              • .Local, xrefs: 017228D8
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                              • API String ID: 0-1239276146
                              • Opcode ID: 3faf441b2da528ea7a8612d0bdb6075ae59eab06d2ad022313a5e99709a49c43
                              • Instruction ID: e1dbf3815c2e706247c47f787e896f7aa6f2f24070e8f797ff4134e67ce24f10
                              • Opcode Fuzzy Hash: 3faf441b2da528ea7a8612d0bdb6075ae59eab06d2ad022313a5e99709a49c43
                              • Instruction Fuzzy Hash: E3A19D31A0422ADFDB25CF68C888BA9F7B5BF58314F1541EAD948A7252D730DE81CF90
                              Function 01724AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                              Download Yara Rule
                              Strings
                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0176342A
                              • RtlDeactivateActivationContext, xrefs: 01763425, 01763432, 01763451
                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01763437
                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01763456
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                              • API String ID: 0-1245972979
                              • Opcode ID: 94f9fdf8d4ed1fbae2a9ba2bce3abb6033e8cbef5b893c76ac08945e1d12d65f
                              • Instruction ID: eeb8ec695e48185be9907377a25ca5513a7b7549f4e067d4c8e5059e56a16522
                              • Opcode Fuzzy Hash: 94f9fdf8d4ed1fbae2a9ba2bce3abb6033e8cbef5b893c76ac08945e1d12d65f
                              • Instruction Fuzzy Hash: 3C61F4366047229BD722CF1DC845B3AFBE5FF80B50F14856DE95A9B281D730E842CB95
                              Function 016F64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                              Download Yara Rule
                              Strings
                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01751028
                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01750FE5
                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017510AE
                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0175106B
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                              • API String ID: 0-1468400865
                              • Opcode ID: c220f5ccb4412fb352f2acfd06e03735af186229ff5dae5af349995b08140aa3
                              • Instruction ID: 89a0018ce97c3f3b97a768298942fc2dbe926934b12e2136552bbbb8bc6594ce
                              • Opcode Fuzzy Hash: c220f5ccb4412fb352f2acfd06e03735af186229ff5dae5af349995b08140aa3
                              • Instruction Fuzzy Hash: 8271C1B19043059FCB21DF14CC88B9BBBA8AF94764F400568FA499B28BD774D589CBD2
                              Function 0171245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                              Download Yara Rule
                              Strings
                              • apphelp.dll, xrefs: 01712462
                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0175A992
                              • minkernel\ntdll\ldrinit.c, xrefs: 0175A9A2
                              • LdrpDynamicShimModule, xrefs: 0175A998
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-176724104
                              • Opcode ID: 37d8f46413a660ccf64cca79f58ee8dd9f019f023da27106b5914090d730054f
                              • Instruction ID: f7995a08eea564db00069b7578e58a6e26442b6597116ffe89bcca328a1fb8ee
                              • Opcode Fuzzy Hash: 37d8f46413a660ccf64cca79f58ee8dd9f019f023da27106b5914090d730054f
                              • Instruction Fuzzy Hash: 0B316875A40202ABDB319F5DD885EAAFBF4FB98720F22416DFD006B249C7B05D41CB80
                              Function 017029A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                              Download Yara Rule
                              Strings
                              • HEAP[%wZ]: , xrefs: 01703255
                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0170327D
                              • HEAP: , xrefs: 01703264
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                              • API String ID: 0-617086771
                              • Opcode ID: b6b3fbe06e82a4459ec5a189f9c5a83239819e9b8e9e59da0f2c3f6e6746a9d8
                              • Instruction ID: 12ca003cbda81e678c1a1de1590c96062ba9f54c50488bc1c3bf1c37b35125cb
                              • Opcode Fuzzy Hash: b6b3fbe06e82a4459ec5a189f9c5a83239819e9b8e9e59da0f2c3f6e6746a9d8
                              • Instruction Fuzzy Hash: 1E92AA71A04749DFDB26CF68C448BAEFBF1BF48304F188099E859AB392D735A945CB50
                              Function 01700770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                              • API String ID: 0-4253913091
                              • Opcode ID: 11d43794914a87d8e8bc09fad3bb390471a76dc77ec0f133dfe1437755158e8e
                              • Instruction ID: 9fa14ae25803b46017ddaf1e94f63f67b5df074b2bbf2f1e616f524c79630d11
                              • Opcode Fuzzy Hash: 11d43794914a87d8e8bc09fad3bb390471a76dc77ec0f133dfe1437755158e8e
                              • Instruction Fuzzy Hash: 0FF1AD70600606DFEB16CF68C894B6AFBF5FF44354F1482A8E9169B381D774EA81CB90
                              Function 01716962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: $@
                              • API String ID: 0-1077428164
                              • Opcode ID: d578307096cbe1220539206ea693f216973e7aa1de77a0f4f5ad9ac11ef9377c
                              • Instruction ID: c0844be77de560d60c7cc2302aa9cca3fc9fbb3ee6afc16118af30b50eecdd7d
                              • Opcode Fuzzy Hash: d578307096cbe1220539206ea693f216973e7aa1de77a0f4f5ad9ac11ef9377c
                              • Instruction Fuzzy Hash: 7DC28E716083419FEB2ACF28C881BABFBE5AF88714F04896DF989C7245D774D845CB52
                              Function 016EA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: FilterFullPath$UseFilter$\??\
                              • API String ID: 0-2779062949
                              • Opcode ID: 24b6dafd8a03b7c936054080f309af568a0f9e1e04772517f98aa7cd9ee47f95
                              • Instruction ID: 9e6f947b9176763927cf37f5eda9dbc53de95a089c3135b535b61b7d0062bbd7
                              • Opcode Fuzzy Hash: 24b6dafd8a03b7c936054080f309af568a0f9e1e04772517f98aa7cd9ee47f95
                              • Instruction Fuzzy Hash: 0DA17F719122299BDB32DF68CC88BEAFBB8EF44710F1041E9E909A7251D7359E85CF50
                              Function 01710BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                              Download Yara Rule
                              Strings
                              • LdrpCheckModule, xrefs: 0175A117
                              • minkernel\ntdll\ldrinit.c, xrefs: 0175A121
                              • Failed to allocated memory for shimmed module list, xrefs: 0175A10F
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-161242083
                              • Opcode ID: f729551c6e4ac93f73f76f94a35447230ef04186a3b32e02759c144eef24153c
                              • Instruction ID: 2c71bbd06cbea9c552512345f07043aa48fde6f6c38212958cb00a619926e23e
                              • Opcode Fuzzy Hash: f729551c6e4ac93f73f76f94a35447230ef04186a3b32e02759c144eef24153c
                              • Instruction Fuzzy Hash: 2271DD70A0020ADFDB25DF6CC984AAEF7F5FB48214F14806DE906AB249E774A981CB50
                              Function 01700A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                              • API String ID: 0-1334570610
                              • Opcode ID: 5bb3d6d5f4a2d4247e1cdd0e81e1f33aee25dac2685a0a332f516389318828fa
                              • Instruction ID: ef357c4090040067ac1e99b6872bee9152a5aa3fa4a0d636254f88bf355334c4
                              • Opcode Fuzzy Hash: 5bb3d6d5f4a2d4247e1cdd0e81e1f33aee25dac2685a0a332f516389318828fa
                              • Instruction Fuzzy Hash: 09619E70600701DFDB2ACF28C884B6AFBE1FF45758F14859DE8598B296D7B0E981CB91
                              Function 0172C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                              Download Yara Rule
                              Strings
                              • LdrpInitializePerUserWindowsDirectory, xrefs: 017682DE
                              • Failed to reallocate the system dirs string !, xrefs: 017682D7
                              • minkernel\ntdll\ldrinit.c, xrefs: 017682E8
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-1783798831
                              • Opcode ID: 4f6cef3d675683111c7661e9d007d49e6b3b4fc1bdb0ada7ca7d9609474393d5
                              • Instruction ID: 61f2617e5c4337485e20d3161b8e08ade818086c8b0a3b39af35d9e733047f62
                              • Opcode Fuzzy Hash: 4f6cef3d675683111c7661e9d007d49e6b3b4fc1bdb0ada7ca7d9609474393d5
                              • Instruction Fuzzy Hash: 3E41E272554311ABC732EB68DC48B5BB7E8AF68764F00892AFA45DB294E770D8008B91
                              Function 017AC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                              Download Yara Rule
                              Strings
                              • @, xrefs: 017AC1F1
                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017AC1C5
                              • PreferredUILanguages, xrefs: 017AC212
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                              • API String ID: 0-2968386058
                              • Opcode ID: a5c1570edd541a2067965e6b8662bf32a235c8d21a31fe9c5d90ef9e0f3874d5
                              • Instruction ID: a54ba06e91a7e7c62485b537673fad0e72d2a1d4e05e85e0dbfcb196b2698ccb
                              • Opcode Fuzzy Hash: a5c1570edd541a2067965e6b8662bf32a235c8d21a31fe9c5d90ef9e0f3874d5
                              • Instruction Fuzzy Hash: 7D416371E04219FBDF12DAD8C855FEEFBB8AB58700F54416AE609F7280D7749A44CB50
                              Function 01784144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                              • API String ID: 0-1373925480
                              • Opcode ID: 998cad52a9d161d5bce7f969924e075d2bb5ae4d87a132c14ce30e20ca747363
                              • Instruction ID: 69799fbca2f2f602f38d5832eaff9460cf8ff2ce007c3cd326ff412da08794ca
                              • Opcode Fuzzy Hash: 998cad52a9d161d5bce7f969924e075d2bb5ae4d87a132c14ce30e20ca747363
                              • Instruction Fuzzy Hash: 3D410531A4875ACFEB26EB98C848BADFBB4FF55340F14045AD902EB781D7B48901CB10
                              Function 01774755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                              Download Yara Rule
                              Strings
                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01774888
                              • LdrpCheckRedirection, xrefs: 0177488F
                              • minkernel\ntdll\ldrredirect.c, xrefs: 01774899
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                              • API String ID: 0-3154609507
                              • Opcode ID: 9470af99fca6f66f0d57c923bab9c3c974aae833e9c14ca2313d5d45adfa32f4
                              • Instruction ID: 459ed8c0128753fa9aafbf38ca3ab944b1536fd046792de4f6290c37c12f7630
                              • Opcode Fuzzy Hash: 9470af99fca6f66f0d57c923bab9c3c974aae833e9c14ca2313d5d45adfa32f4
                              • Instruction Fuzzy Hash: 2041CE32A442559FCF21CE6CD840A26FBE5EF89A60F0506ADED5ADB211D730E810CBD1
                              Function 01700BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                              • API String ID: 0-2558761708
                              • Opcode ID: 1fcfacbaa970782ef27e139e35e1c46b5de190ce186f6f87b21b4b86bc6929ef
                              • Instruction ID: f6c90bed7fccee6254be019cc234a85908db118c34c6144bd0ad5e66d1fc70f0
                              • Opcode Fuzzy Hash: 1fcfacbaa970782ef27e139e35e1c46b5de190ce186f6f87b21b4b86bc6929ef
                              • Instruction Fuzzy Hash: 49110331315642DFDB6ADA18CC84B7AFBE5EF40A66F18815EF806CB292DB70E841C754
                              Function 017720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                              Download Yara Rule
                              Strings
                              • Process initialization failed with status 0x%08lx, xrefs: 017720F3
                              • LdrpInitializationFailure, xrefs: 017720FA
                              • minkernel\ntdll\ldrinit.c, xrefs: 01772104
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-2986994758
                              • Opcode ID: 89f27f21429add73feb3d943cf98e455e830478db9de2e26824cab1ac468eeb0
                              • Instruction ID: aa1608dd6d47a304b7415b70e0e1ff0f1fa072be2c129c3d32b8a26f6ea4a685
                              • Opcode Fuzzy Hash: 89f27f21429add73feb3d943cf98e455e830478db9de2e26824cab1ac468eeb0
                              • Instruction Fuzzy Hash: E4F0C875B403086BEB24DA4DDC57FA9B7A8FB45B64F10005DF6056B286D5B0A500C651
                              Function 017003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: #%u
                              • API String ID: 48624451-232158463
                              • Opcode ID: 64aea745e2a8a5eb6b4821fc2d5d449823a37d0ec5c9eb8f190e6378828b7a86
                              • Instruction ID: 5e9501ce6676be9d2a114b18125a9a4dc2a3cad7f1922546b5deed076d7abc3e
                              • Opcode Fuzzy Hash: 64aea745e2a8a5eb6b4821fc2d5d449823a37d0ec5c9eb8f190e6378828b7a86
                              • Instruction Fuzzy Hash: EF716871A0024ADFDB02DFA8C994FAEB7F8BF58344F154065E901E7295EA74ED41CBA0
                              Function 016FA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                              Download Yara Rule
                              Strings
                              • LdrResSearchResource Exit, xrefs: 016FAA25
                              • LdrResSearchResource Enter, xrefs: 016FAA13
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                              • API String ID: 0-4066393604
                              • Opcode ID: fb530cf985c0285159b13e8e4a9841dbe60a6841f0fcd37b3e4adc6f992a0d18
                              • Instruction ID: 2349e44e2714d881ad03eed3c40121b960d5bbff979179e013ad3ae10a790a71
                              • Opcode Fuzzy Hash: fb530cf985c0285159b13e8e4a9841dbe60a6841f0fcd37b3e4adc6f992a0d18
                              • Instruction Fuzzy Hash: 63E17F71A042099BEB228ED9CD84BAEBBBABF04350F10452AEE05E7291D7B49945CB50
                              Function 017BA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: `$`
                              • API String ID: 0-197956300
                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                              • Instruction ID: f767879e0b331427abe845db305730bcb688f09c8e81fbb9c656463c94ea9071
                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                              • Instruction Fuzzy Hash: CFC1E1712043429BEB25DF28C885BABFBE5AFC4318F184A2DF696CB291D774D505CB81
                              Function 0176E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: Legacy$UEFI
                              • API String ID: 2994545307-634100481
                              • Opcode ID: 81b9b21df27a920a5a981d3291bc08c1d96b25f3fbbe8206f4cc42d4d8b39417
                              • Instruction ID: ff1dcd1b10ddd5e69600a8ffcc976fdf3ad7bb9ee2864859f487f463e1a3d7b4
                              • Opcode Fuzzy Hash: 81b9b21df27a920a5a981d3291bc08c1d96b25f3fbbe8206f4cc42d4d8b39417
                              • Instruction Fuzzy Hash: 79615E75E4031A9FDB15DFA8C844BAEFBB9FB44700F14406DEA49EB291DB35A940CB60
                              Function 017943D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$MUI
                              • API String ID: 0-17815947
                              • Opcode ID: 87d9d9244e95565f54e26663c1fb2ddc172fee2555366159ab6e056bd7ec5af7
                              • Instruction ID: 2512a050f8ed9b505bda20e0d678d2d6e947a85d74cf8ff3fbc7031849cf757c
                              • Opcode Fuzzy Hash: 87d9d9244e95565f54e26663c1fb2ddc172fee2555366159ab6e056bd7ec5af7
                              • Instruction Fuzzy Hash: 8C513771E0061EAFDF11DFE9DD84AEEFBB8EB44754F100529E611A7291D7309A0ACB60
                              Function 016F04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 016F063D
                              • kLsE, xrefs: 016F0540
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                              • API String ID: 0-2547482624
                              • Opcode ID: 7431ed669560507b7a31dfacd6951339cfc91590676b267191ae3c39218f9626
                              • Instruction ID: f57b619ea4aaeb4cc27af8a9ef70e31b5dbfceee2bf63fc1f511f6306f25f1bb
                              • Opcode Fuzzy Hash: 7431ed669560507b7a31dfacd6951339cfc91590676b267191ae3c39218f9626
                              • Instruction Fuzzy Hash: 23519F71504742CBD724DF68C9446A7BBE6AF89304F10883EF6DA87342E770E545CB91
                              Function 016FA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                              Download Yara Rule
                              Strings
                              • RtlpResUltimateFallbackInfo Enter, xrefs: 016FA2FB
                              • RtlpResUltimateFallbackInfo Exit, xrefs: 016FA309
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                              • API String ID: 0-2876891731
                              • Opcode ID: 797046da6b4a51e8fb679b4209c2f2a14222f5adaa7ddbc5a19e82738eed0bbd
                              • Instruction ID: 0906a037618ddb7e78615b386e874ff13b87418f1346276505a8faad7f717b0b
                              • Opcode Fuzzy Hash: 797046da6b4a51e8fb679b4209c2f2a14222f5adaa7ddbc5a19e82738eed0bbd
                              • Instruction Fuzzy Hash: 4341DE36A00645DBDB26DF99C840B6ABBB5FF85700F2440A9EE08DB392E7B5D941CB40
                              Function 0172A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: Cleanup Group$Threadpool!
                              • API String ID: 2994545307-4008356553
                              • Opcode ID: 610b196566b8e6b11dd7e310a47330cb7c2ea019b4830b69d2134257af93a43c
                              • Instruction ID: 2be5c128e0ab24700015459291de3bafe8510c1f6e0c9bdfba0f652960e408fc
                              • Opcode Fuzzy Hash: 610b196566b8e6b11dd7e310a47330cb7c2ea019b4830b69d2134257af93a43c
                              • Instruction Fuzzy Hash: 4001DCB2250740AFD321DF24CD49B26B7E8E798B25F00897DF649CB590E734E805CB46
                              Function 016FC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: MUI
                              • API String ID: 0-1339004836
                              • Opcode ID: 4fb44ab361a2884aa9026136ad487917518460cca0346a84cca054cf4ed7956b
                              • Instruction ID: 272429c7e9a10484cf0140002a9e769cfaf48ec11fb9a22e5ae4be00618ac62a
                              • Opcode Fuzzy Hash: 4fb44ab361a2884aa9026136ad487917518460cca0346a84cca054cf4ed7956b
                              • Instruction Fuzzy Hash: A3824A75E002198BEB25CFA9CC80BEDBBB5FF49310F14816DDA59AB391D730A946CB50
                              Function 01776420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: cb12134824265f92552d0c69b60aea3e9489af865d2a80d054a165c48ec32d61
                              • Instruction ID: 58a7d9a52070b7a5f3646c2554b38f0f8de119ce807f739decca2ced8cc604e7
                              • Opcode Fuzzy Hash: cb12134824265f92552d0c69b60aea3e9489af865d2a80d054a165c48ec32d61
                              • Instruction Fuzzy Hash: 46916171940619AFEF21DB99CC85FAEFBB8EF18B50F100065F600AB199D774AD04CBA0
                              Function 0179E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: cd49753d0cc16e1c97e4009bd66b6673c40f4116433d9c6561bf9ea6f064793e
                              • Instruction ID: c9e45d2cc328649b692e24e3141c68f6fa4e91876b801f35778015c0fd6831a3
                              • Opcode Fuzzy Hash: cd49753d0cc16e1c97e4009bd66b6673c40f4116433d9c6561bf9ea6f064793e
                              • Instruction Fuzzy Hash: DB919F72900609BEDF26EBA5EC48FAFFBB9EF85740F100069F501A7251EB359909CB51
                              Function 0172A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: GlobalTags
                              • API String ID: 0-1106856819
                              • Opcode ID: b25dcebb6acc0c2f9c1ffc94ee4aebb22aa3b05089c975331884d61e83c05608
                              • Instruction ID: cde2a49017e8dc8cf0343450887aa70c5b5689304430d67d9280b0acf142f943
                              • Opcode Fuzzy Hash: b25dcebb6acc0c2f9c1ffc94ee4aebb22aa3b05089c975331884d61e83c05608
                              • Instruction Fuzzy Hash: EB718CB5E0021A8FDF28CFACD490AADFBB6BF58710F54816EF905A7245E7349941CB50
                              Function 01794978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: .mui
                              • API String ID: 0-1199573805
                              • Opcode ID: 112db825ad730d09ef0b0d717e2fe1d77bb071a877492cc3ac6b0d45f8d73185
                              • Instruction ID: e01df1924b8376c83e7e41b008d1c73d5bdad8042a99c236ce3900c7423447ef
                              • Opcode Fuzzy Hash: 112db825ad730d09ef0b0d717e2fe1d77bb071a877492cc3ac6b0d45f8d73185
                              • Instruction Fuzzy Hash: DC519672D012259BDF10DF99E944AAEFBB4EF09610F05416DEA12BB250D3385D06CBE4
                              Function 0170E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: EXT-
                              • API String ID: 0-1948896318
                              • Opcode ID: 61e3ae079a0019cd680db5483ead4eb3e20c0cb2a7d0471349890e48467e6fde
                              • Instruction ID: 2d8359d6334dc4d5404a48c14d6ba2ab2dd2e0906475dbed57ff028f929afae9
                              • Opcode Fuzzy Hash: 61e3ae079a0019cd680db5483ead4eb3e20c0cb2a7d0471349890e48467e6fde
                              • Instruction Fuzzy Hash: C1419072508302DBD722DA79C944B6BF7E8AF88B14F040D6DFA85D72C0EA74D904C796
                              Function 0176C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: BinaryHash
                              • API String ID: 0-2202222882
                              • Opcode ID: 611d707c1825256a28569cad8ee1dfab86da1ed3fe898f21852de019e2883a4a
                              • Instruction ID: 8fcc9297968a2df537f9dc800352df5f858f8b28c47f139a30307f648511ae16
                              • Opcode Fuzzy Hash: 611d707c1825256a28569cad8ee1dfab86da1ed3fe898f21852de019e2883a4a
                              • Instruction Fuzzy Hash: 0A4163B1D0022EAFDB21DA50CC84FDEF77CAB44714F0045A5EB48AB145DB709E898FA4
                              Function 01786B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: #
                              • API String ID: 0-1885708031
                              • Opcode ID: 102e366e92376a679e516fa5104f401d29212aabdb01576806c20f77507476b2
                              • Instruction ID: c09fc8212ecdad2d173f80de9ba4a363d480b24186445200928d322af53e78ad
                              • Opcode Fuzzy Hash: 102e366e92376a679e516fa5104f401d29212aabdb01576806c20f77507476b2
                              • Instruction Fuzzy Hash: 73310731A40719ABEB22EF69C854BEEFBF9EF45704F144068F941AB282D775E805CB50
                              Function 0176CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: BinaryName
                              • API String ID: 0-215506332
                              • Opcode ID: 782341ccd2518bbee062603c86161dffaff197b3fc9167a060ca22a838599032
                              • Instruction ID: dde37586112a1e6b0c9fca1a6785f0216a4c8ad833bd15a65e9af7aefb713cb7
                              • Opcode Fuzzy Hash: 782341ccd2518bbee062603c86161dffaff197b3fc9167a060ca22a838599032
                              • Instruction Fuzzy Hash: 52310536900515AFEB17DB58C845E7FFB78EB80710F014169AD49A7291D7309E04EBE0
                              Function 0177892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule
                              Strings
                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0177895E
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                              • API String ID: 0-702105204
                              • Opcode ID: e99101d8c1aff9dda7aa4f856f29c9ab7c9cc1889173bfbca4cd2e8f6f835bf5
                              • Instruction ID: 55bcab1eca41180fb57f3564e7585fa39aa9de30c75dbff81aa3d613fc6c136c
                              • Opcode Fuzzy Hash: e99101d8c1aff9dda7aa4f856f29c9ab7c9cc1889173bfbca4cd2e8f6f835bf5
                              • Instruction Fuzzy Hash: 9D0120763052059BDF205B55DC8CE56FFE9EF85268F04002CF7810E551CB206C40CB97
                              Function 01792000 Relevance: .8, Instructions: 757COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ea20113506bd6307306b246a908d935d2fc6dc0f98cd134cbcd519d8375f5b8
                              • Instruction ID: 6f9dec79816e9addb76176f8699d5bc057014cd93ce15c819d6adc570bb18cc0
                              • Opcode Fuzzy Hash: 6ea20113506bd6307306b246a908d935d2fc6dc0f98cd134cbcd519d8375f5b8
                              • Instruction Fuzzy Hash: 8742C671648341ABDF25EF68D890A6FFBE5BF88300F14092DFA8297252D771D849CB52
                              Function 01788158 Relevance: .6, Instructions: 617COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e48c5dafe018f851fcafcfa05b4cc8d9b6c366bcda9b603bed96bc28adaa3ff1
                              • Instruction ID: 84826c48e13129953985fe8b6529926b0d37529bdca3945d07ac9155e1bd082a
                              • Opcode Fuzzy Hash: e48c5dafe018f851fcafcfa05b4cc8d9b6c366bcda9b603bed96bc28adaa3ff1
                              • Instruction Fuzzy Hash: F2427C75A502198FEB24DF69C881BADFBF5BF48300F588199E948EB242D7349D81CF61
                              Function 01702840 Relevance: .6, Instructions: 605COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb01c776c1dfb2e345f228147e40132e4acc2e5d266a98d869fc682a83fb7a47
                              • Instruction ID: 9ffa8918aff8f4746157defd815bf3754657ee19d57225f4ce144d0f82749d85
                              • Opcode Fuzzy Hash: bb01c776c1dfb2e345f228147e40132e4acc2e5d266a98d869fc682a83fb7a47
                              • Instruction Fuzzy Hash: 0E320F70A007598FEB65CF69C8487BEFBF2BF84304F64411DE9869B285D7B5A842CB50
                              Function 0179A118 Relevance: .6, Instructions: 591COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d65de6832240303026df6badba8dbcd1a0a84f522223dc50f42ab317a307bd9b
                              • Instruction ID: 938ffcd636a3aa497a08f651394a40f81e223ec59a072b6180364058f569bdf4
                              • Opcode Fuzzy Hash: d65de6832240303026df6badba8dbcd1a0a84f522223dc50f42ab317a307bd9b
                              • Instruction Fuzzy Hash: F322F3702066618FEF25CF2DE095776FBF1AF44304F18849AD9868F286E735E45ACB60
                              Function 016F6A50 Relevance: .5, Instructions: 548COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a52a2327ad9d1f0b8be85f6c4cc8d6166cdc171d34c3c010d64340d69207b960
                              • Instruction ID: f64fc29756969615e28a5f67c9ff1f25a602c5454b85d877e6c0ec3af5f67838
                              • Opcode Fuzzy Hash: a52a2327ad9d1f0b8be85f6c4cc8d6166cdc171d34c3c010d64340d69207b960
                              • Instruction Fuzzy Hash: F4328C71A04215CFDB65CF68C880BAABBF1FF48310F14856DEA56AB396D774E841CB90
                              Function 01714A35 Relevance: .4, Instructions: 423COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                              • Instruction ID: 0c5b1f01eb5ee3bd1945455b7f3a983adfbf18200cf78f0c0cf1e915eaeb496a
                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                              • Instruction Fuzzy Hash: B5F16E71E0021A9BDF15CFADC594AAEFBF6BF48710F048129E946AB348E774E841CB50
                              Function 0178892B Relevance: .4, Instructions: 386COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7260c37d6684b3a9af167a2b2715bc449dfbbdefc01bef7775aa8f1c8e8cedf
                              • Instruction ID: e3f21f066248910f783f9eb5b6b77a855324e7160a2c294b506cba3c397fafba
                              • Opcode Fuzzy Hash: f7260c37d6684b3a9af167a2b2715bc449dfbbdefc01bef7775aa8f1c8e8cedf
                              • Instruction Fuzzy Hash: 34D11371A4060A8BDF15DF98C840AFEFBF1AF88304F5881A9D855E7281D735EA01CB61
                              Function 016F65D0 Relevance: .4, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 531198b29e750ae18d2b38ef2f44bb9918a2d5df44a3bc55864a137a6da8105b
                              • Instruction ID: 34d45226aeed19591a7a3bf3dba207ebde1c0457ae79e634ffb9d64c93aa7b00
                              • Opcode Fuzzy Hash: 531198b29e750ae18d2b38ef2f44bb9918a2d5df44a3bc55864a137a6da8105b
                              • Instruction Fuzzy Hash: 04E18071608342CFC715CF28C494A6ABBE1FF89314F158A6DFA9587351D731E905CB92
                              Function 016E8397 Relevance: .4, Instructions: 380COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be902c7b1afdcee0e7c8af70fad78a1873332142a7fa326ae46f102d66d8803b
                              • Instruction ID: fb6159ba0541ce8eb12c8f2f55e2cd72c369edfd441b7c7ff9686b6781af6bb6
                              • Opcode Fuzzy Hash: be902c7b1afdcee0e7c8af70fad78a1873332142a7fa326ae46f102d66d8803b
                              • Instruction Fuzzy Hash: CDD1BD71A0220A9BDB14DF68CC94ABEB7E9AF54304F15462DE916DB280EB34ED51CB90
                              Function 01778243 Relevance: .3, Instructions: 322COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                              • Instruction ID: 0e28f938f080a1b72151aecfda8a84f19c57f2c45b0846f62cdb4005c53d829e
                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                              • Instruction Fuzzy Hash: A9B17F75B00609AFDF24DF99C948FABFBB9BF84304F10446DAA0297794DA34E945CB11
                              Function 01700535 Relevance: .3, Instructions: 300COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                              • Instruction ID: d3391e603ef1124274ac9bcc95be4f76bacec6c01782430d55b7f5db92b670e6
                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                              • Instruction Fuzzy Hash: C7B11531600746EFDB26DB68C854BBEFBF6AF84310F280199E956972C5EB70E941CB50
                              Function 016F83C0 Relevance: .3, Instructions: 281COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94fd30b78272eb31b16d7849f73d810b50ac03400f3a740141e1ad2f9378bb7b
                              • Instruction ID: 8d242036a4b41108590d4826c5bfcbc1a087a74f59e1b7b14fe397a557097c0e
                              • Opcode Fuzzy Hash: 94fd30b78272eb31b16d7849f73d810b50ac03400f3a740141e1ad2f9378bb7b
                              • Instruction Fuzzy Hash: ECC158742083418FD764CF19C894BAAB7E9BF88304F44495DEA8987391D7B5E909CF92
                              Function 016EC427 Relevance: .3, Instructions: 280COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ecdbe7c550af7525a2262bbdf64a8faca0d93f0ac021f4635232e80e0106dfae
                              • Instruction ID: 31190a210a6863a53295a28ac2f4b244ab271eda555aff84042d23ade77661a5
                              • Opcode Fuzzy Hash: ecdbe7c550af7525a2262bbdf64a8faca0d93f0ac021f4635232e80e0106dfae
                              • Instruction Fuzzy Hash: 40B17170A002668BDB34CF58CC94BAAB7F1EF44700F0486E9D54AE7285EB309D86CF25
                              Function 0171E5E7 Relevance: .3, Instructions: 278COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b4b662deb2043eed61325f52d2b61b6e5bbe5b7fc54df25dba49dc02febdc4e
                              • Instruction ID: 4c747bf23cdcf4a9f11d3e0d5cb93f4b16b8175d9f6d26212fdda0a936c4d82c
                              • Opcode Fuzzy Hash: 5b4b662deb2043eed61325f52d2b61b6e5bbe5b7fc54df25dba49dc02febdc4e
                              • Instruction Fuzzy Hash: FCA10531E006599FEB22DB6CC848FAEFBB4AB05714F150165EE01AB2D5DBB49D40CBD1
                              Function 01730185 Relevance: .3, Instructions: 276COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fd38a51b66695f1e474cbd8aeb6db6570a0d711bfbfb4b8c8f24454b09d12f5
                              • Instruction ID: 25aa4d6da543697965f5c3b6d955851f4329699613b0422d655580b9023fb597
                              • Opcode Fuzzy Hash: 5fd38a51b66695f1e474cbd8aeb6db6570a0d711bfbfb4b8c8f24454b09d12f5
                              • Instruction Fuzzy Hash: 84A1CF70B0171A9FDB25CF69C890BAAF7B5FF84318F144029EA4597283EB34E911CB90
                              Function 017C4500 Relevance: .3, Instructions: 275COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 327ec0ab317b553d91bdd57d7fa3169badceb9f2ce30efbfb9339894e60917c0
                              • Instruction ID: 448193837feb7883eff1f334081b02d8bfacf4d180603ce6fb837296d49f4906
                              • Opcode Fuzzy Hash: 327ec0ab317b553d91bdd57d7fa3169badceb9f2ce30efbfb9339894e60917c0
                              • Instruction Fuzzy Hash: ECA1A972A04612EFD722DF18C994B6AFBE9FB58B04F15492CF5869B691D334E800CB91
                              Function 017C2B57 Relevance: .3, Instructions: 266COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                              • Instruction ID: 9a158814471e3cd17d2f66dca0b9580c503569bfd20dd0a5f60622571e943532
                              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                              • Instruction Fuzzy Hash: 8EB13771E0061ADFDB29CFA9C880AADFBB5BF58B10F14816DE914A7356D730A941CF90
                              Function 017760E0 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6afa6dbbb9f1e931e79930c59f7a236035b0f99011d0c3a46c61fb92498f2ce
                              • Instruction ID: fe2a4cd8241fe3232caf87b6338fadaa17a61ced03ff9d3038995aaadddb07ad
                              • Opcode Fuzzy Hash: d6afa6dbbb9f1e931e79930c59f7a236035b0f99011d0c3a46c61fb92498f2ce
                              • Instruction Fuzzy Hash: B6916171E04616AFEF15CFA8D884BBEFBB5AB48710F154169F610AB249D734E900DBA0
                              Function 0170E3F0 Relevance: .3, Instructions: 261COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f43be5a6abaefc61bbe5238fc711340e17a9de7862451fa8a5420e21017f376f
                              • Instruction ID: 6fce1283c818662234050a91bcdcaac8344d6fb40f25a106eef1e87df3e8ea27
                              • Opcode Fuzzy Hash: f43be5a6abaefc61bbe5238fc711340e17a9de7862451fa8a5420e21017f376f
                              • Instruction Fuzzy Hash: 0B913372A00312CBDB269B28C844B7EFBF1EB94714F1548A9FE059B2C5EB74D941CB51
                              Function 01746ACC Relevance: .2, Instructions: 226COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1e91d3c09f9a8f7c695697da434b4092c68acee60cdd5ece4eb8a086560f213
                              • Instruction ID: a7f3b80a4ad77a6e12733998f57bccc664c4c0eeda4a42de6fcb4a01c4a50038
                              • Opcode Fuzzy Hash: b1e91d3c09f9a8f7c695697da434b4092c68acee60cdd5ece4eb8a086560f213
                              • Instruction Fuzzy Hash: 3E819271A0061A9FDB28CF69D940ABEFBF9FB48700F14852EE455D7641E334E940CBA4
                              Function 017BAB40 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                              • Instruction ID: 7736563f89543db7afb226bfd0579cac5d70c3a12892299f40dbf519efaf8c25
                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                              • Instruction Fuzzy Hash: 09816D71A0020A9FDF19DF98C8D4BEEFBB6AF84310F188569D9169B349DB34E941CB50
                              Function 0172E284 Relevance: .2, Instructions: 212COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19a602aca8afc1723ca1f8dc1982da40aaf457f4f0a4e3f906875ac53b6a7584
                              • Instruction ID: 550afb9aaa89f1b43ab8eb7d5069e48328f51f8a7d81f6d71ce9f92fb39a3984
                              • Opcode Fuzzy Hash: 19a602aca8afc1723ca1f8dc1982da40aaf457f4f0a4e3f906875ac53b6a7584
                              • Instruction Fuzzy Hash: 31814071900619EFDB25CFA9C880AEEFBF9FF88354F144429E556A7251DB30AC46CB60
                              Function 0170C640 Relevance: .2, Instructions: 206COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f90ac15501b8aeb3bda872f936592ae7c09e36e480e6b393099563dbdef5c4c9
                              • Instruction ID: 99539218e9887452791c9a0d035ab6e4784d9356c5ec0919ff6d74f6561d9afc
                              • Opcode Fuzzy Hash: f90ac15501b8aeb3bda872f936592ae7c09e36e480e6b393099563dbdef5c4c9
                              • Instruction Fuzzy Hash: 6371AB75904629DBCB268F59C8907BEFBF5FF5C710F14829AE942AB390D7749840CBA0
                              Function 017A47A0 Relevance: .2, Instructions: 202COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 479c6317a1fd12e811e4dd6c0e23305527d8c9a10b590f9ef63ae15d88ebb294
                              • Instruction ID: 3b61d68045ce491bd132483da672596d8e13ecc4e0f388f0fc9588940fe95e52
                              • Opcode Fuzzy Hash: 479c6317a1fd12e811e4dd6c0e23305527d8c9a10b590f9ef63ae15d88ebb294
                              • Instruction Fuzzy Hash: 8171C770900205EFDB20CF59D954A5AFBF8FFE8710F88825AF6019B259D7739A80CB55
                              Function 0170260B Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfd78dbe5ec09c1193136b13ef6eaaa494e647339c8d6ed59676be144e9b52a4
                              • Instruction ID: 03f542060c9caa5df7501597c796d61209f53051a7e85642fe62f0750ed69324
                              • Opcode Fuzzy Hash: cfd78dbe5ec09c1193136b13ef6eaaa494e647339c8d6ed59676be144e9b52a4
                              • Instruction Fuzzy Hash: 9171CE32604242CFD312DF28C888B2AF7E5FF84310F0485AAE9998B796DB74D845CB91
                              Function 0177035C Relevance: .2, Instructions: 198COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                              • Instruction ID: 2fef8f3d44c6c4bc3a141df8cccde06bf5ab7c904bbb4eb19db3487572a49d20
                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                              • Instruction Fuzzy Hash: 34715C71A00619EFDB11DFA9C988EAEFBB9FF48700F104569E505EB294DB34EA41CB50
                              Function 017862A0 Relevance: .2, Instructions: 198COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9a5a4fc139310e8cd686503d8c2ed25ee7ca97a63366a79f0f3931e1c88f10e
                              • Instruction ID: 56ac4f7d47f54abea4448c54ec6318e77128383d1c0eac46ea99db8b21dab59a
                              • Opcode Fuzzy Hash: b9a5a4fc139310e8cd686503d8c2ed25ee7ca97a63366a79f0f3931e1c88f10e
                              • Instruction Fuzzy Hash: CD71C232280B01BFE732EF18C849F5AFBE6EB44724F144918F65A8B6A1D775E944CB50
                              Function 016F8AA0 Relevance: .2, Instructions: 197COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c755a6632b3fe3032261bc32ae816edc99958700fc1875eaef1e4bbbffc81a41
                              • Instruction ID: c4b57928ad4e56c587509d55281c69cbaa82ddeb38fab6834fda0cb9520f077e
                              • Opcode Fuzzy Hash: c755a6632b3fe3032261bc32ae816edc99958700fc1875eaef1e4bbbffc81a41
                              • Instruction Fuzzy Hash: 8C81B172A08309CFDB24CF98C884B6DB7F5BF48720F1A416DDA01AB286C7B49D41CB94
                              Function 017C8324 Relevance: .2, Instructions: 192COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23bfac25a119c36b38348266586887ac04a9910c8be91deaba1e8b1c45ec1ba3
                              • Instruction ID: d8325f6fffc2fa3b84951a70714079da437ad782ce8d3fc3067758d94d7b872d
                              • Opcode Fuzzy Hash: 23bfac25a119c36b38348266586887ac04a9910c8be91deaba1e8b1c45ec1ba3
                              • Instruction Fuzzy Hash: 74712971E0020AAFDB16DF94C845FEEFBB8FB04750F10426DE621A7291E774AA05CB91
                              Function 017AA250 Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 102ff1c4502cbd5ae6da78273634354ab7bd4d6a562a81e84ca7e8e132dc290c
                              • Instruction ID: 794fe7f046bacfb2eb7999f83634447c76735cf255ada5bb477be0af529a2e49
                              • Opcode Fuzzy Hash: 102ff1c4502cbd5ae6da78273634354ab7bd4d6a562a81e84ca7e8e132dc290c
                              • Instruction Fuzzy Hash: 4951A272504712AFD722DF68C848E5BFBE8EBC9750F414A29BA41DB150D770ED09CBA2
                              Function 01798350 Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbee9a303918227a9ede0656fc671e8aaeef1c204c39698d6970ebda4b83ef28
                              • Instruction ID: c57d8e2c58c1868a9e6b9888e09aa49d4d24b28b988c98bc0ee1973f8e3d7b75
                              • Opcode Fuzzy Hash: cbee9a303918227a9ede0656fc671e8aaeef1c204c39698d6970ebda4b83ef28
                              • Instruction Fuzzy Hash: 5051F070900709DFDB21CF6AD884BABFBF8BF95710F10461ED292976A1C7B0A549CB91
                              Function 0172E443 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df35694bb80a5fcd44e4913bf5223f6329976d81dc17be81533e15146f74fadb
                              • Instruction ID: 937efee36a08dbec4c396921445746e9e98b8a1c8de778a53f6905f2be1a8a63
                              • Opcode Fuzzy Hash: df35694bb80a5fcd44e4913bf5223f6329976d81dc17be81533e15146f74fadb
                              • Instruction Fuzzy Hash: F9515C71200A15DFCB22EF69C984EAAF3FDFF14644F50086AE652D72A1DB34E941CB50
                              Function 01794180 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aa0f840c911ad84f601cec0d7d3394b1c2aebeaabcbd3ec6ca4c14b8cf04f7a6
                              • Instruction ID: 28e008b71ed94ae29e06b3adfbd0ae0959c6ab40621b28b74f39326aa0ffccd5
                              • Opcode Fuzzy Hash: aa0f840c911ad84f601cec0d7d3394b1c2aebeaabcbd3ec6ca4c14b8cf04f7a6
                              • Instruction Fuzzy Hash: 7F517A716083029FDB54DF29D981A6BFBE5BFC8218F444A2DF586D7250D730D90ACB52
                              Function 017145B1 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                              • Instruction ID: d8f6b4013909a1fb3e6e7f4e7998abb3e4d3fa5541b3098355beac1bcc6cecd0
                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                              • Instruction Fuzzy Hash: 0C516C71E0021AABDF15DF98C444BFEFBB5EF49754F044069EA02AB248D774DA44CBA0
                              Function 0177E9E0 Relevance: .2, Instructions: 154COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                              • Instruction ID: 8e37dd960d40147fbe6972f8b86e40923a64c3f60f79b55ea53c2911411f9b80
                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                              • Instruction Fuzzy Hash: 9B51A771D0020AEFEF219A94C884FBEFF79AB44364F1546E5D612671A1DB309E448BA0
                              Function 017B8B28 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2fecacea024f857f772f69aebff20341a7b5deee952fd968bf2ff78b55538b41
                              • Instruction ID: 626763663f1d40802781a5ea21abf40f411b5e542059a045d4e22a2f4054b73e
                              • Opcode Fuzzy Hash: 2fecacea024f857f772f69aebff20341a7b5deee952fd968bf2ff78b55538b41
                              • Instruction Fuzzy Hash: E841F8B07056019BDB29DB2DC8D8BFBFB9EEF94220F048259F95987384DB30D841C692
                              Function 0177CBF0 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 416a48dac6e43d8258dc1e11e7372fe1877f589c5266ff032d5bfea4299fcdac
                              • Instruction ID: 3acefe175937bf57ed2b22a984dc5a8e17b444732c946913d98435f8bee4762b
                              • Opcode Fuzzy Hash: 416a48dac6e43d8258dc1e11e7372fe1877f589c5266ff032d5bfea4299fcdac
                              • Instruction Fuzzy Hash: F151787290021ADFCF22DFA8C9809AEFBF9FB58328F158519E546A7305D730AD41CB90
                              Function 0172A430 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cc4fb948ca6399215f93cb058aa0a4db0df9e2477f8e8693e0aea8fd75d3ecc
                              • Instruction ID: da6797c42dc866888d8b60a1cf49508c8fbf1cb549a71edf278e9d365fdc98d5
                              • Opcode Fuzzy Hash: 7cc4fb948ca6399215f93cb058aa0a4db0df9e2477f8e8693e0aea8fd75d3ecc
                              • Instruction Fuzzy Hash: BA4128726443229BCF25EF69A884B6AF7E9EB58718F41407CFE029F246D771DC018790
                              Function 017BA9D3 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                              • Instruction ID: 2d3facd168060947f3853be71f40efa27c9d1a4555b447bba86f5098b47817da
                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                              • Instruction Fuzzy Hash: E541C672A007169FD725DF28C9C4BAAF7E9FF80210B05466EE95287645EB31ED04C790
                              Function 017201F8 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17e12595cf17584f8f4d8ddf659f575aeb5783135d22114cd4a558b737708719
                              • Instruction ID: d6cfab5d19923834a72e380643980e1cee7faaa33e574cc9459a5887092391d2
                              • Opcode Fuzzy Hash: 17e12595cf17584f8f4d8ddf659f575aeb5783135d22114cd4a558b737708719
                              • Instruction Fuzzy Hash: 1141AA369002299BDB14DF98C440AEEFBB4BF59710F15826EF815E7241D735AD42CBB4
                              Function 0171EBFC Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abd5dbc3a7da3898ae0f81226aa2edbea106e3a8f0a31f340d4321cb771e59f3
                              • Instruction ID: 1e0ca487aa09ce7712ef7267c4241723b5cc8e8e83ad4f0f8c112530d9e11f96
                              • Opcode Fuzzy Hash: abd5dbc3a7da3898ae0f81226aa2edbea106e3a8f0a31f340d4321cb771e59f3
                              • Instruction Fuzzy Hash: 5A41B3726043029FD726DF2CC884A5BF7E5FF88324F144869E957C725ADB71E8848B50
                              Function 01732750 Relevance: .1, Instructions: 137COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                              • Instruction ID: d4670eca3ba573ec7d5517c30201af53bd4bcb1ad489b2e57c48eb1d8b349a7f
                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                              • Instruction Fuzzy Hash: 1A515A75A00215CFCB15CF9DC980AAEFBB6FF84710F2881A9D915A7355D770AE82CB90
                              Function 016F6154 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f06264457af862767d9061f798c959c1c4256762f4632320852e35d59066bb0
                              • Instruction ID: 2e4b5c2341b34ab8bc4bd12860b5ce7a104530dfe7fe714cc77cb8482a123a97
                              • Opcode Fuzzy Hash: 0f06264457af862767d9061f798c959c1c4256762f4632320852e35d59066bb0
                              • Instruction Fuzzy Hash: A351E470940256DBDB26CB28CC18BE9FBF1FF15314F1482A9E629972C2D7749981CF80
                              Function 016F0BCD Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b30f1264be27fbc678121b561c1ff3d5ed35a5a4db27ae849148f645a5f542f8
                              • Instruction ID: 1653b36b0a318a9247392af6237791cb48b48ab975d5dfed8045b2111da90c0c
                              • Opcode Fuzzy Hash: b30f1264be27fbc678121b561c1ff3d5ed35a5a4db27ae849148f645a5f542f8
                              • Instruction Fuzzy Hash: 1C419131A00329DFDB21DF68CD44BEAB7B5BF45750F0100A9EA48AB246DB749E81CF91
                              Function 017B866E Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                              • Instruction ID: 3942a70e7fb41e2db1461fb89c964a7195ea9d35ac595f8cd1984bde370e315a
                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                              • Instruction Fuzzy Hash: C6417F75B10206ABDB15DA99CCC4BEFFBBEAF88704F144069E914A7346D770DD0087A1
                              Function 016F0887 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 636bf21a669518501c70cef8400f9e7a7913bf4d9f8dddaf3295d5b0ad42302c
                              • Instruction ID: 29d492a25378983bc45af05025147bf9336f5a4c8934013adf09e896babccb4d
                              • Opcode Fuzzy Hash: 636bf21a669518501c70cef8400f9e7a7913bf4d9f8dddaf3295d5b0ad42302c
                              • Instruction Fuzzy Hash: C141C271600702DFE725CF28C884A22F7FAFF49314B109A6DE65787A52E730E846CB90
                              Function 0171A470 Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4882f364d90d8ff123018e1be1d38f9e7e1d80cd828c7eb0d3a48489d22e555
                              • Instruction ID: 4136c8d4e645cb533a74e80f78133e967851622360258140a03b872146cf4d75
                              • Opcode Fuzzy Hash: f4882f364d90d8ff123018e1be1d38f9e7e1d80cd828c7eb0d3a48489d22e555
                              • Instruction Fuzzy Hash: 6841D132945245CFDF21CF6CC458BADFBF1FB18720F184195D812AB289DB349A40CBA4
                              Function 016F8BF0 Relevance: .1, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1aed622d4e090193871f5e124e07000568012da3f61329473dd97b0816ff6570
                              • Instruction ID: 5cf3a0f623bd001db4efdbdddc978055c3282921f8e8bd67a1d101fa784ea625
                              • Opcode Fuzzy Hash: 1aed622d4e090193871f5e124e07000568012da3f61329473dd97b0816ff6570
                              • Instruction Fuzzy Hash: BF41E472900206CBDB25DF58CC44B5ABBFAFF98B14F19816EDA029F256C775D842CB90
                              Function 016E8918 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6af9b29c822002701ab38a5681dfec398ec1f2eb428774d0eae1a7d2e81116c
                              • Instruction ID: 70e10b72fb6578281eae1e764a59295599cad965b664dd21241eee6e90a9782b
                              • Opcode Fuzzy Hash: b6af9b29c822002701ab38a5681dfec398ec1f2eb428774d0eae1a7d2e81116c
                              • Instruction Fuzzy Hash: 2D4148319097069FD312DF69C844A6BF7E9EF88B54F400A2AF984D7250E731DE458BA3
                              Function 016EA020 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                              • Instruction ID: 69e2e8f5566eca0afd2cab9c99a21c90f62e44a102ec8eba36d6ae7a38691fee
                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                              • Instruction Fuzzy Hash: D2414C31A05211DBDB11DEA888487BAFFF2EB50758F15816AE9498F240D732DD41CB90
                              Function 016F09AD Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6fc83f42c4a092fb56d571aaeef21cb27d2548865cc6cd4500429e2e333d53e
                              • Instruction ID: 5bd1146ab8096783bdc8bf80aada151e9f4cf5fe44d754e11ad91346f6df55f6
                              • Opcode Fuzzy Hash: d6fc83f42c4a092fb56d571aaeef21cb27d2548865cc6cd4500429e2e333d53e
                              • Instruction Fuzzy Hash: B2415B71600701EFD722CF18C840B26BBE6FF58314F24866EE9498B392E771E946CB94
                              Function 01720710 Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                              • Instruction ID: 69c4644923fb1567efd681914de9ef671f76f48ffe72ee4eb28a098d80029105
                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                              • Instruction Fuzzy Hash: 93410571A00615EFDB24CF98C980AAAFBF4FF18700B10496DE556DB691E370AA45CFA0
                              Function 016F262C Relevance: .1, Instructions: 119COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0240b1d154cbb3c6e9eba1429be81db9ff20ae9d02aabe3bdeff0fddfbb59766
                              • Instruction ID: ba920caa7edfab46bf98bf849b4181075d1c7476fcc7ec93e00b0850e97d58a6
                              • Opcode Fuzzy Hash: 0240b1d154cbb3c6e9eba1429be81db9ff20ae9d02aabe3bdeff0fddfbb59766
                              • Instruction Fuzzy Hash: 5D4189B1541711CFCB22EF28C954A69B7F2FF58724F1082ADD6169B2A1DB30D941CF51
                              Function 0172C8F9 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9bfe21b44645b4c465325c83f62576c514886c9b46b4614b4c0bbf564c525432
                              • Instruction ID: 069f6b5ab53a42f2cc7fa9e56ad2159aca5bf64fa41f4c5d9daf97f0c24d25c2
                              • Opcode Fuzzy Hash: 9bfe21b44645b4c465325c83f62576c514886c9b46b4614b4c0bbf564c525432
                              • Instruction Fuzzy Hash: 673146B2A00355DFDB12CFA8C440799FBF4EB19724F2185AED519EB291D3369902CF90
                              Function 017707C3 Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f824a82561b7f2c6bbae43293777d2488e69598d848463fcb45abc35032bc47
                              • Instruction ID: 38cff927cc7634717fd3fe122d17ba6b5c52cfa7232fc96e274225eeaf992684
                              • Opcode Fuzzy Hash: 0f824a82561b7f2c6bbae43293777d2488e69598d848463fcb45abc35032bc47
                              • Instruction Fuzzy Hash: 0B418C72A043019FD720DF29C845B9BFBE8FF88624F008A2EF998D7255D7709905CB92
                              Function 016E80A0 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7acd4471239242571343131667ae94218eeba9e4ed7e997ca113dd01979e07ea
                              • Instruction ID: a1e1089b1ed5df7a3b4265d57bf429184caed7eb0e65c4b1afe7c5fce932ad64
                              • Opcode Fuzzy Hash: 7acd4471239242571343131667ae94218eeba9e4ed7e997ca113dd01979e07ea
                              • Instruction Fuzzy Hash: 8A41DD71A06617EFCB01DF18CD84AA8F7FABB54761F208329D815A7280DB34ED428BD0
                              Function 017705A7 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9b43d421c37986386dd7749f5635a8af4a4d63672df75cc07b82fd16d949e06c
                              • Instruction ID: ba8c960411247b6c2c2194eb1f0b895464528662b05c44a01d477472e916757e
                              • Opcode Fuzzy Hash: 9b43d421c37986386dd7749f5635a8af4a4d63672df75cc07b82fd16d949e06c
                              • Instruction Fuzzy Hash: 5E41CF726047469FC721DF68C850A6AF7E9FFC9700F144A29F994DB680E730E914C7A6
                              Function 016F4859 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e86153ad0acb9ad76e2f0586e530f4f256d0e92b5058ec03b8345e9b3eb97def
                              • Instruction ID: c472adc71b63b846ee4f412fc7481829f8574860f149d6d961d4e843b9a2b034
                              • Opcode Fuzzy Hash: e86153ad0acb9ad76e2f0586e530f4f256d0e92b5058ec03b8345e9b3eb97def
                              • Instruction Fuzzy Hash: 0641AD313043028BD725DF2CDC84B2BBBEAAF80364F14442DEB558B6A1DB30D941CB91
                              Function 016E8B50 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ff7fb170bb46f5581be2c9ca07cc11408684d0501d26df8ac910451b4d93950
                              • Instruction ID: aa89678bbed3bcdba5f31a5d7a5f6845ebec2c37d1b3198cb2a6f0cae05ed24e
                              • Opcode Fuzzy Hash: 5ff7fb170bb46f5581be2c9ca07cc11408684d0501d26df8ac910451b4d93950
                              • Instruction Fuzzy Hash: FF4190B1A02605CFCB15CF69CD8499DB7F6FF99720B20862ED466A73A0DB34A941CB40
                              Function 017002E1 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                              • Instruction ID: 2bde071dc633d510481eb2597b8f995ca5c146937d0f8d705f3a5597b4487944
                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                              • Instruction Fuzzy Hash: 77311532A04345EBDB239B68CC44B9BFFE9AF54360F0441A9F855D7392D6B49884CBA4
                              Function 0179E3DB Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28f9cf145853f74f3856d7fbd185e3afcb616510db04ebff6a06a49919fa0665
                              • Instruction ID: c296177408b364c135c57e0b97944759064964f300a28d7815b379ccae0d62f6
                              • Opcode Fuzzy Hash: 28f9cf145853f74f3856d7fbd185e3afcb616510db04ebff6a06a49919fa0665
                              • Instruction Fuzzy Hash: 8831B931740716ABDB22DF599C45FAFB6F9EB58B54F100028F600AB2D5DAA4DC05D7A0
                              Function 017A4B4B Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec028ddf3d901866a150d3c5368bf36b19d307091be0eff410aa98ec8e4e47e5
                              • Instruction ID: b27bca48946bc644d216a4b158de6d6dd9f09194f59e10e74a887a19c71d71c4
                              • Opcode Fuzzy Hash: ec028ddf3d901866a150d3c5368bf36b19d307091be0eff410aa98ec8e4e47e5
                              • Instruction Fuzzy Hash: 2031B032205211CFC722DF19D884E26F7E5FBC4360F8A856DF99A8B256D772E840CB91
                              Function 016F4260 Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 719413be54afe242b700d3d4d90115a83bd3e5fe14ca13ebba34921fe56271f5
                              • Instruction ID: 053c073bf2ccc47d3796d0b8101b5168446b219b60699dbeed5b9c093749bb9b
                              • Opcode Fuzzy Hash: 719413be54afe242b700d3d4d90115a83bd3e5fe14ca13ebba34921fe56271f5
                              • Instruction Fuzzy Hash: 1741AD31204B45DFD762CF29C885FA7BBE5EF59754F00842DEA9A8B651CB74E804CB90
                              Function 017A4BB0 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 87e5ac628c898137d3ab50d579d97f6fbbe56549f03513a9914278b14c334850
                              • Instruction ID: 1762a22b73c1a1fafd02bfef2f1fd78b2019f472dec35ead595bc70208d2bbc8
                              • Opcode Fuzzy Hash: 87e5ac628c898137d3ab50d579d97f6fbbe56549f03513a9914278b14c334850
                              • Instruction Fuzzy Hash: EF31AD716043019FD724DF28C880A2AF7E5FBC8720F494A6DF95A9B295E771EC04CB91
                              Function 0176EB1D Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d579843021155733cddef6f552db5defc9a4e1309ed18439226b434f3a7a240
                              • Instruction ID: 17a98a2a84f079f5b8e81989a06f1165b064422098bf98b056fe52dcf86ddf15
                              • Opcode Fuzzy Hash: 1d579843021155733cddef6f552db5defc9a4e1309ed18439226b434f3a7a240
                              • Instruction Fuzzy Hash: B231B075201682DBF722DB5CC948F65FBDCBB51B44F1D00A0AE499B6D6DF28D880C230
                              Function 017B61C3 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad9e42199d526f2dc5e077e70b3bf0e77e0d245ab52c066c635df68718bdd1d2
                              • Instruction ID: 7ce533d1a8317de926552bf82e9de81510fdeca9081e0193ba0a8b4dd4b0accf
                              • Opcode Fuzzy Hash: ad9e42199d526f2dc5e077e70b3bf0e77e0d245ab52c066c635df68718bdd1d2
                              • Instruction Fuzzy Hash: D831A175A0021AABEB15DF98C884BEEF7B5EB48B40F454168FA01EB285D770AD00CB94
                              Function 0179483A Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3f7a82a6ccaec42226e099fb69b0c762aa6fa25d8c6468884aa07c74be4ce4b
                              • Instruction ID: 870b7f3d888661c7cf0d306663a1a23f1453c4d400b130932df472a2d27ce99b
                              • Opcode Fuzzy Hash: b3f7a82a6ccaec42226e099fb69b0c762aa6fa25d8c6468884aa07c74be4ce4b
                              • Instruction Fuzzy Hash: 42316376A4012DABCF21DF54DD88BDEBBFAAB98310F1100E5E509A7250CA30DE95CF90
                              Function 0171EB20 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: effacf16937bb7fcaefbe83970ddee8a3ee0a369968b21bb28c01757e5657707
                              • Instruction ID: 73d179a165002986243d43cf25698b5f81ad1140444964ae2cd6aaed132958db
                              • Opcode Fuzzy Hash: effacf16937bb7fcaefbe83970ddee8a3ee0a369968b21bb28c01757e5657707
                              • Instruction Fuzzy Hash: 7E31A172A00219AFDB32DEAD8840EAEFBF9FF48750F018465E955D7254D6709E408BA0
                              Function 017B60B8 Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 52a928e8306b773774a8f395aebef939941945919d0015b21058885444e3c691
                              • Instruction ID: d103b4239218f09dadf230763357840cf305e5f0dad161dce36a2da596f79a6e
                              • Opcode Fuzzy Hash: 52a928e8306b773774a8f395aebef939941945919d0015b21058885444e3c691
                              • Instruction Fuzzy Hash: 7C31B67260060AEFD7139F59C894BAAF7F9AF48754F104069F615EB382DB30DD018B90
                              Function 016F07AF Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b447341265494d614229fd4acdccbfacf789f1a7a9b3e24671baa03f65e6e1c9
                              • Instruction ID: 5461cdd14fda5c6e0f8cbf06b13d5723c3e006c2ae6d650a5c96bfc3274b267e
                              • Opcode Fuzzy Hash: b447341265494d614229fd4acdccbfacf789f1a7a9b3e24671baa03f65e6e1c9
                              • Instruction Fuzzy Hash: 5A31D636A05612DBCB12DE288C8096BBBE7AF94260F02452DFE6697312DB30DC1187D5
                              Function 016F8550 Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cec1121d1864c241bf284262914b1645a874098d069a8118bf83774cbe87209c
                              • Instruction ID: e16aa2e4d7d734b261d067410d7e9e74fdcb57f1901421e5c17451ba2571ef03
                              • Opcode Fuzzy Hash: cec1121d1864c241bf284262914b1645a874098d069a8118bf83774cbe87209c
                              • Instruction Fuzzy Hash: 45318E71609301CFE7A0CF19C844B2AFBE9FB98700F0549ADEA8897355D7B1E844CBA1
                              Function 0172A6C7 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                              • Instruction ID: 218d00932fbb50ef3e82328357a02f4bcb97fc156a4aab968cc1e1bdd5bb120f
                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                              • Instruction Fuzzy Hash: DD3118B2B00B11AFD761CF69CD40B56BBF8AB48A50F04096DA99AC3B51E630E9008B64
                              Function 0179EBD0 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dac81d502a7bdde00f9436ddfe54ecb5610c6e2295bec22aca989dbc79798a3d
                              • Instruction ID: a0dcd27b86396877505fa95e556017a24cd9b03fe1f7b6b87474e6451fdcddff
                              • Opcode Fuzzy Hash: dac81d502a7bdde00f9436ddfe54ecb5610c6e2295bec22aca989dbc79798a3d
                              • Instruction Fuzzy Hash: 853167B1509381CFCB11DF19D54885AFBF1FB9A214F4449AEE4889B352E731A988CB92
                              Function 0171438F Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c0ab915a8130b6b13e2d38b1a726ff4c31737aa605c434f870b81fec488a05a
                              • Instruction ID: 412ebf350e052fdc8bf376aff6c3458add9b8e90cf28ed6998f345ddef436534
                              • Opcode Fuzzy Hash: 2c0ab915a8130b6b13e2d38b1a726ff4c31737aa605c434f870b81fec488a05a
                              • Instruction Fuzzy Hash: 3A31C271B402069FD720DFACC985A6EFBFAEB94304F108529D946D7299E730D941CBA0
                              Function 016ECB7E Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                              • Instruction ID: ba47db474aecc15d7a3d0601ee35b796487b0cb75eec491abc061fa5704ae44f
                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                              • Instruction Fuzzy Hash: 62210136E4125AABDB119BB98801BAFFBB5AF14740F0681759E16EB340E370D90187A0
                              Function 016EC156 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59ee75cb5bf62aeeb2707b995c6e522bf2aa397d1fbc39c6b2720c375ac760aa
                              • Instruction ID: e0ae6cad91988af119fa61de5812504dad0ceed8415333550e621ac0f8a5d0a4
                              • Opcode Fuzzy Hash: 59ee75cb5bf62aeeb2707b995c6e522bf2aa397d1fbc39c6b2720c375ac760aa
                              • Instruction Fuzzy Hash: 5A3108725002018BD732AF58CC44B69F7F4EF64754F5481ADE9869B386EB349982CB90
                              Function 017AC3CD Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                              • Instruction ID: 5e5dda7f4db16359c4c0d19d4f7fa929d9ed885aeb9897e8c1aefca5eb8fc76c
                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                              • Instruction Fuzzy Hash: 08213036600652B6CF16ABD58C04ABBFFB5EFC0710F80851AFA958B591EA34DD40C364
                              Function 016EE420 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4d2672925340921b4696b5a6bcfb4ade59e933f09e3cc18f1b554340652b097b
                              • Instruction ID: b00db8167cd4a5759ca43d486a44ee9ac1ba2736af0982bc163d494285d0f4dd
                              • Opcode Fuzzy Hash: 4d2672925340921b4696b5a6bcfb4ade59e933f09e3cc18f1b554340652b097b
                              • Instruction Fuzzy Hash: 2631E231A0262CDBDB31DE18CC49BEAB7F9AB15740F0102A5E645AB290D7759E818F90
                              Function 01724588 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                              • Instruction ID: 8c05b8d1e852a095f276965e0efc668ec2d0598d47f54868a5f07ff30fc95328
                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                              • Instruction Fuzzy Hash: 6C217131A00619EBCB25CF98C984A8EFBB5FF48714F108065EE169F245D671EE068B90
                              Function 017244B0 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16b16505a2e50243151f97899113d2bc3bb38dc35d5b2ef157f259d0dfb70938
                              • Instruction ID: 119638a0966ed3d85a4f7934dee0652ba14e048c09451e4972507116e6b6ef60
                              • Opcode Fuzzy Hash: 16b16505a2e50243151f97899113d2bc3bb38dc35d5b2ef157f259d0dfb70938
                              • Instruction Fuzzy Hash: 4521C3726047559BC722CF19C880B6BF7E4FF88760F104519FD999B645D730EA01CBA2
                              Function 016EE388 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                              • Instruction ID: a0b7c739112f9db4f9486d588343079268b5f11c36f26aaf260aa02f31ee9e90
                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                              • Instruction Fuzzy Hash: F3318931601605EFD721CBA8C888F6AB7F9EF85354F1046A9E552CB285E730EE02CB50
                              Function 0176E609 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bdc567ad865d60f21d71625e9331871a334bd4525e1b6727b045a70694465f3
                              • Instruction ID: fe17d4746359ee1681db5f542ff82bc9fbebef08dfe7d7ef54ad86674134ca58
                              • Opcode Fuzzy Hash: 0bdc567ad865d60f21d71625e9331871a334bd4525e1b6727b045a70694465f3
                              • Instruction Fuzzy Hash: FB316B79600205DFCB14CF18C8849AEB7F9EF98714B158459FD0A9B391EB71EE50CBA1
                              Function 017706F1 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8da757cd90dbac72b20531975ba043a6751f7107ae2aec754c1fc714c6591203
                              • Instruction ID: 09ad8c3d7b5118c4f4cf15923b135b770429ecc8b21001c4bc2ef0afb4682084
                              • Opcode Fuzzy Hash: 8da757cd90dbac72b20531975ba043a6751f7107ae2aec754c1fc714c6591203
                              • Instruction Fuzzy Hash: 90219C71A0022A9BCF21DF59C881ABEF7F4FF49740F400069F941AB244D778AD42CBA1
                              Function 0177019F Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7a6904581ac1e412bdc17fb0691c453c6cde42a13080596b78d28db085eace7
                              • Instruction ID: 0b15866389d75cbec96b53f3d786c1f2101925a0cf3986db5b3d07ecee2ad339
                              • Opcode Fuzzy Hash: e7a6904581ac1e412bdc17fb0691c453c6cde42a13080596b78d28db085eace7
                              • Instruction Fuzzy Hash: 5521AB72600605EFDB16DB68D844E6AB7E8FF99740F140069F904DB6A1D638ED40CB64
                              Function 01770283 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 605d5215b654032a2faffb6ad38180c19c401dad909ec961ef27cbc18b3fc021
                              • Instruction ID: 6bfd95348e01eb038e36ed13524c97573a8e4c4516784215671fdba33ce2bd87
                              • Opcode Fuzzy Hash: 605d5215b654032a2faffb6ad38180c19c401dad909ec961ef27cbc18b3fc021
                              • Instruction Fuzzy Hash: EC21B072A043469FDB12EF6DC848F6BFBDCAFA2640F08045ABD80C7291D734D944C6A2
                              Function 01712835 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 157f23c714127fafca9f3dcc31ffc048f21044435dce1618c2a232706ce19aa6
                              • Instruction ID: a3d1748bcf14d1b4ceb778800bf5db44b13067bf3c86c834725837ceb81ff059
                              • Opcode Fuzzy Hash: 157f23c714127fafca9f3dcc31ffc048f21044435dce1618c2a232706ce19aa6
                              • Instruction Fuzzy Hash: 7F21A7316457829BE722676CCC08F24FBD4AB41764F2903B4FE209B6DADBB8D8818250
                              Function 0172A30B Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d683d7bfc2da1d51b0a23c2329f12ce397ca7e5786fc519efe42c7480968d5e
                              • Instruction ID: f1e459607494df572a9d09f0b1362d47d2bcab6ec075e2eef5fc3a29f7bafa72
                              • Opcode Fuzzy Hash: 0d683d7bfc2da1d51b0a23c2329f12ce397ca7e5786fc519efe42c7480968d5e
                              • Instruction Fuzzy Hash: C8219875240B119FC725DF29C801B46B7E5AF08B08F2488A8E509CBB62E331E842CF94
                              Function 017AA49A Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 628e777ab2220a9c51a5b8cab80ce92be43dc27714607dbb40feda941e3e7a2f
                              • Instruction ID: 9cf21a97e89a62abe2b466d80b2873dce48f1399bd39ae641bdd2a834f960773
                              • Opcode Fuzzy Hash: 628e777ab2220a9c51a5b8cab80ce92be43dc27714607dbb40feda941e3e7a2f
                              • Instruction Fuzzy Hash: EB110A72340A11BFE72255599C15F67F69ADBD4B60FA10128B758CB290DB60DC01C7A9
                              Function 01770946 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c154bd77400355ccdd1c78c903811ee8df484a2ae6f22207627d8ba1120b2f10
                              • Instruction ID: ae29fe64cc81e5793553ad860686106588f9c9687fe2792ed3cb399039ab4a73
                              • Opcode Fuzzy Hash: c154bd77400355ccdd1c78c903811ee8df484a2ae6f22207627d8ba1120b2f10
                              • Instruction Fuzzy Hash: 9621E6B1E01209AFCB24DFAAD8859AEFBF9FF99710F10012FE505A7244DA709941CF54
                              Function 017880A8 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                              • Instruction ID: b4401fee842cacc9c81980ae0ad0b894154a800bdc7cf74e81bd7fea8a74c95b
                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                              • Instruction Fuzzy Hash: 7E218172940209EFDF129F58CC44B9EFBBAEF48310F244459F951A7251D734DD519B50
                              Function 01720124 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                              • Instruction ID: ac592a2a9d37418ad6f120849fb3ba7afe86c70d42aabcf3623c8920d4dbf6bd
                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                              • Instruction Fuzzy Hash: 7D11DD72601619AFE7229B48CC85F9EFBB8EB80754F200029FA008B190D671ED46CB60
                              Function 016F8770 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aac05c67d6e01965d2edb3c5f8ea043bf647e900f3cff5ee065a1cc9f0ede3b7
                              • Instruction ID: 717f220e58743670910841a85802ddb9aced403027c3b2ef02dd771ac7e4f59d
                              • Opcode Fuzzy Hash: aac05c67d6e01965d2edb3c5f8ea043bf647e900f3cff5ee065a1cc9f0ede3b7
                              • Instruction Fuzzy Hash: 0E11BF767016119BDB11CF4DC880A6ABBEEAF5A710B1980ADEF089F304D7B2D9018790
                              Function 0172AAEE Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                              • Instruction ID: c4d570996b4e5a28429d270592a634cc5852cddfb033474fe2bf5a152cb58106
                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                              • Instruction Fuzzy Hash: 8A217972640661DFDB228F4DC544A66FBE6EB94B10F14887DE94A8BA14C730EC02CF80
                              Function 016F80E9 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f08c40637159c69a71cf215c5b4bcf9724fac13ac2019300e14a3f04653235a
                              • Instruction ID: 8a2ece53ba62552ef080552bf8ad62ffccabe0da9f8a374812cf0f9e4d5332ea
                              • Opcode Fuzzy Hash: 1f08c40637159c69a71cf215c5b4bcf9724fac13ac2019300e14a3f04653235a
                              • Instruction Fuzzy Hash: D9216F75A00206DFCB14CF58C981A6EBBF9FB89319F2442ADD205AB355C771AD06CBD0
                              Function 0172674D Relevance: .1, Instructions: 65COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 58273a6c8f8caafc16f464808c10e2831e0495d0ba8d11ca3b174f89a1c4489b
                              • Instruction ID: e4957997f4cd0a7ef600f2d8f800648ce2ff9a3fb82a5b66f8593c664d7a5361
                              • Opcode Fuzzy Hash: 58273a6c8f8caafc16f464808c10e2831e0495d0ba8d11ca3b174f89a1c4489b
                              • Instruction Fuzzy Hash: 58218E71500A10EFD7218F69D840B66F7E8FF44250F00882EF99AC7251DA70EC41CB60
                              Function 01786870 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec5328fe09e8fed54206c49034adc070c5349afa3b4881a75200ec3256d48088
                              • Instruction ID: 1501b078a06a43934fa7f13fc1c63530a44e73a3d388e6101b30a9f094b0297e
                              • Opcode Fuzzy Hash: ec5328fe09e8fed54206c49034adc070c5349afa3b4881a75200ec3256d48088
                              • Instruction Fuzzy Hash: C7119132280614FFC722EB5DCD44F9AF7A8EB99A64F114069F215DB291DA70E901C7A1
                              Function 0171E8C0 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d6aed35a9066d017d919724e0ff8d375bbe148eb0acfc8c420203379ef8c11b
                              • Instruction ID: 5a67fdb02c0e261380047d2b0ba0af6bfa672647a410697a3b138ec3326f4e93
                              • Opcode Fuzzy Hash: 9d6aed35a9066d017d919724e0ff8d375bbe148eb0acfc8c420203379ef8c11b
                              • Instruction Fuzzy Hash: 611108333041149FCB1ADB29CC89A6BF29BEBD5374B354539EE22CB294ED309842C291
                              Function 017266B0 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0dbf5ea2bd8645de759e717354a5bbbfb8f1d7c56b486a78ea1ce4e5c364b71e
                              • Instruction ID: 51ce743f27dfbd686f45891719cf1ab7b630ffc28c5b7110c8f29bee41379c64
                              • Opcode Fuzzy Hash: 0dbf5ea2bd8645de759e717354a5bbbfb8f1d7c56b486a78ea1ce4e5c364b71e
                              • Instruction Fuzzy Hash: D1110172A00221DFCB26CF59E480A0AFBF4EF98210F0180BAFD059B351E630DC01CB90
                              Function 017BA8E4 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                              • Instruction ID: b0e44cb98a93bbdfbf224df8bd6da515a35e33b83c378c620ef60df65745898e
                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                              • Instruction Fuzzy Hash: 69110436A00905AFDB19DB58C845B9DFBF5FF84210F058269E85597344E731EE41CBC0
                              Function 016F0AD0 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                              • Instruction ID: 425186f19c3c71601f28ba08f7a4d41f458c550fc46d453be410a1e23486cf83
                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                              • Instruction Fuzzy Hash: B921F4B5A00B099FD3A0CF29C540B52BBF4FB48B10F10492EE98AC7B40E371E814CB90
                              Function 0177E7E1 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                              • Instruction ID: e48dc77164f0501b108b68e057f714461ae1628dcbc1945275e0d1c09a9532c2
                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                              • Instruction Fuzzy Hash: CA11AC32680601EFEF219F48C844B5AFBE6EF45754F0594ACEA499B261DF31EC80DB90
                              Function 017127ED Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86046126436f945975d6fc558c4d8be6c1453f837bdba70de7ccb119c57aabe3
                              • Instruction ID: 68b11444c4512be6b9ab593fff1c45063f6f1b28d51c217a45a581f70bbc3e43
                              • Opcode Fuzzy Hash: 86046126436f945975d6fc558c4d8be6c1453f837bdba70de7ccb119c57aabe3
                              • Instruction Fuzzy Hash: 32010471645645AFE316A26DD848F27EBDCEF50350F1500B5FD008B295E964DC00C261
                              Function 016F4690 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2eeb6f811274df8c8ac2a83729fa2be3f183d581788449738c31f56324b32aad
                              • Instruction ID: 15b73e062bc854ba705244901fd37e3e2ffe0c531c36dd3dd2be9600cb9dab5e
                              • Opcode Fuzzy Hash: 2eeb6f811274df8c8ac2a83729fa2be3f183d581788449738c31f56324b32aad
                              • Instruction Fuzzy Hash: 23119A36204645AFDB25CF59DC44B677BA9EB9AB64F00411EFA048BB50CB71E840CFA0
                              Function 017C4B00 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d29c2260429b0e175e854bc537eecd1882fbbb7229286dc84c877074f1cbb7
                              • Instruction ID: c5e55c084b209bf979299d7b76099fc257fb170debfe447327a47738e1645e42
                              • Opcode Fuzzy Hash: c5d29c2260429b0e175e854bc537eecd1882fbbb7229286dc84c877074f1cbb7
                              • Instruction Fuzzy Hash: 6211C236200A119FD7229E6DD854F66FBE6FFC4B20F19442DEA43C7694DA30E802CB90
                              Function 01726620 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24f162d2c7a79d903aa6f9dd7bdb23fd071bca30f775a6498afcdf0bb3030fb2
                              • Instruction ID: bc3a122dad3b98d0f8d79bb7af0e73f581f4f2449bfcb495e3db1b24e0596356
                              • Opcode Fuzzy Hash: 24f162d2c7a79d903aa6f9dd7bdb23fd071bca30f775a6498afcdf0bb3030fb2
                              • Instruction Fuzzy Hash: BE117076A01726ABDB329F59C980B5EFBB9EF48750F54045AEE01A7244D730AD028B90
                              Function 0171EA2E Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab31be1780f1efd08e14577e3f1aa7168fce53dd72bb51f0cc4e0c72c3bfa461
                              • Instruction ID: a05b8b295b53485b35993af7a9418738bdf966858816e5cf8f9bf466c56cdcec
                              • Opcode Fuzzy Hash: ab31be1780f1efd08e14577e3f1aa7168fce53dd72bb51f0cc4e0c72c3bfa461
                              • Instruction Fuzzy Hash: 8801967550010A9FC726DB19D448F26FBFAFB95328F218169E6058B265CB70DD81CB94
                              Function 0171E53E Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                              • Instruction ID: 3dc170c8b866e913292f008b77e5927f9ce464b91e5a14403b752948f6ca317d
                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                              • Instruction Fuzzy Hash: 9811E571601AC2DFE723972CC948F25FBE4AB01744F2900E0DE41C7686FB78C942C251
                              Function 0177E75D Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                              • Instruction ID: 6fc17c2dbe9da7ecbe3adb1a880777ae0f852cf41d75a56af5d3ae567ca75cbe
                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                              • Instruction Fuzzy Hash: 8A018032600205AFEB219B58CC04B6AFAA9EB45760F0584A8EA059B260EB71DD80CBD0
                              Function 016EA250 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                              • Instruction ID: 82b57385b99ac56f624a37d5794bedf420346ec1c13125f65623dcd50c0b5ba7
                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                              • Instruction Fuzzy Hash: 860104314067219FCB218F599C44A227BE4EF55760704C72DF895AF281C331D801CB60
                              Function 017C4940 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 762e3d13b4933f6429e7048ec9c459ca038bcb0c21499378e433a2e6f44d98a8
                              • Instruction ID: 9779278eedd3ce6c5e37c05a2c216eb845740f20f085500cda6989f25a25d9ef
                              • Opcode Fuzzy Hash: 762e3d13b4933f6429e7048ec9c459ca038bcb0c21499378e433a2e6f44d98a8
                              • Instruction Fuzzy Hash: 210100335416219FC3329F1C8814E92F7E8EB91B70B25426DE9AA9B2E6D730D801CB90
                              Function 0176E1D0 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4290acdff930817e8b8390140087b2fecdeb840e91113cf6d4794ca976e55a00
                              • Instruction ID: 00842a4b5599330fbdb650fd5f0adf6d9a400009879a002bb3f0ce690f50c640
                              • Opcode Fuzzy Hash: 4290acdff930817e8b8390140087b2fecdeb840e91113cf6d4794ca976e55a00
                              • Instruction Fuzzy Hash: 3E11ED36241601EFCB16EF09CD90F06BBB9FF58B44F2000A9FE059B2A1C631ED01CAA0
                              Function 016F6259 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9f9c03f346e01352e37b6dbfd71a3f21ef648246eecb28f8b8eaedaae6df1ea
                              • Instruction ID: 7303087696daf186ea1de1b8174954722281b507db5d3bff1820bd21509b5aaa
                              • Opcode Fuzzy Hash: c9f9c03f346e01352e37b6dbfd71a3f21ef648246eecb28f8b8eaedaae6df1ea
                              • Instruction Fuzzy Hash: 96118E71541229ABEB39EF64CD46FE9B3B4BF48710F5081D4A318A61E1DB709E81CF84
                              Function 01776050 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d01c4dee061b47e5a7d75060d980d579363479f49e626b7b470d4c4547139eee
                              • Instruction ID: 5cb04f6f4aae3b7bbfec91bb6ad352e88655c284949a0e4cc75dc9f6a924c621
                              • Opcode Fuzzy Hash: d01c4dee061b47e5a7d75060d980d579363479f49e626b7b470d4c4547139eee
                              • Instruction Fuzzy Hash: 6E11177290011DABCB12DB94CC84EDFBBBCEF48258F044166E906A7215EA34AA55CBE0
                              Function 016F208A Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                              • Instruction ID: cf51c8c76593399d7aaebded8b20f6c04f67264f2f826c3b6259a4559d4ecd4c
                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                              • Instruction Fuzzy Hash: 0001F1336002118BEF128A6DDC94A92B767BFC4700F5944ADEE018F24AEB71C881CBA0
                              Function 01786500 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f8dc458b546a2b4b5a40c0b097d2ac5402763946c57339ed549c425f02201e4
                              • Instruction ID: 95c555a7d00679b948b7a28ecc04688abba4bf11fa731d197704ac0340735cb4
                              • Opcode Fuzzy Hash: 7f8dc458b546a2b4b5a40c0b097d2ac5402763946c57339ed549c425f02201e4
                              • Instruction Fuzzy Hash: 3511CE72680146AFC301DF18C800BA2FBB9FB5A314F188159F8488F315D732EC80CBA0
                              Function 0177C810 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62426985485627824a1d154272bfe066d4a23001fee177fcfbe71d5f69da1db3
                              • Instruction ID: c3df5d7571a2cb68d1737505a729620398a0abd8f0e2d991c7306b4c207b3b58
                              • Opcode Fuzzy Hash: 62426985485627824a1d154272bfe066d4a23001fee177fcfbe71d5f69da1db3
                              • Instruction Fuzzy Hash: 271118B1A0020A9FCB04DFA9D545AAEFBF8FF58350F10806AA905E7355D674EA018BA4
                              Function 0179EA60 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7aec370200f92b7d5582dc272b5ce7759d555599536dc93cf933c0ded4e9280a
                              • Instruction ID: 68d374996f26dfa1e7bd7268fb28096e73885acf783f9e887a2208b7a792a106
                              • Opcode Fuzzy Hash: 7aec370200f92b7d5582dc272b5ce7759d555599536dc93cf933c0ded4e9280a
                              • Instruction Fuzzy Hash: 4301F132140211DBCF33EA199448937FBE9FF51660B1444AAE1114B2A1CF259D81CB90
                              Function 016EC020 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                              • Instruction ID: 8f01e35dca873ccdcb896ea8dd1d7b067949513be0365738c77812fa8b01e231
                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                              • Instruction Fuzzy Hash: 4501D8321007059FEB32D6A9C908EA7FBE9FFE5610F14891DE5968B644DF71E442CBA0
                              Function 017320F0 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5a56122078f0d8bb8ea41ae3314fca57ba455d0c5b681fd6fa0a307b409ec2d6
                              • Instruction ID: e9a8d6e965c1ea4100f937bd84cc8f896a2f4abd13236ca8c9208e33c65a78e4
                              • Opcode Fuzzy Hash: 5a56122078f0d8bb8ea41ae3314fca57ba455d0c5b681fd6fa0a307b409ec2d6
                              • Instruction Fuzzy Hash: 47116D35A0020DEFCB05DF64C955EAEBBB9EB88240F004099E9029B295E635EE11CB90
                              Function 0172E5CF Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4eef3610b46cbe7c29929c014358bfca2f393ebd7e3b2b4b56e2870eec359022
                              • Instruction ID: a32730fed1b4c572c80d7cc9a6ac2a60e001aef1348787ee2ac4ac104cf38dbe
                              • Opcode Fuzzy Hash: 4eef3610b46cbe7c29929c014358bfca2f393ebd7e3b2b4b56e2870eec359022
                              • Instruction Fuzzy Hash: 7E0184B2241A41BFD312AB79CD48E57F7ECFB58654B000525B60583695DB34EC01C6A4
                              Function 017869C0 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd45d7b6fc69d016a91a046974be006323b66ac718907be9088509dc05d8c084
                              • Instruction ID: c475f00a4a6d9f1db86ed2153a6b22247617f999b801ce652718094acf90ac3e
                              • Opcode Fuzzy Hash: bd45d7b6fc69d016a91a046974be006323b66ac718907be9088509dc05d8c084
                              • Instruction Fuzzy Hash: A701FC32254312EBC324EF69D848967FBE8FF98660F114129F959972C0E7349A01C7D2
                              Function 0177C460 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 44ea23bf18db4bf99c5db7e0568a20275ba4f9e4ba0d015bc5c76d3a8f877d43
                              • Instruction ID: c30416180d8afacad6e280dbdd485f76a7e29a20cd570b8a60c5b75261cb33b4
                              • Opcode Fuzzy Hash: 44ea23bf18db4bf99c5db7e0568a20275ba4f9e4ba0d015bc5c76d3a8f877d43
                              • Instruction Fuzzy Hash: D4115B71A0020AEFDF16EFA8C844EAEBFB5FB98250F004059B90197384DA35E911CB90
                              Function 0177C97C Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 252693c2cbaf7337fedfc3f6ae7c5c6f11c5266f1933b8a919609a3537e3cba7
                              • Instruction ID: 2ca835f272a6d573a8913ae25acf753177b3b95c9034050f8516e772301dace9
                              • Opcode Fuzzy Hash: 252693c2cbaf7337fedfc3f6ae7c5c6f11c5266f1933b8a919609a3537e3cba7
                              • Instruction Fuzzy Hash: DC1179B26083099FC700DF69C44695BFBE4EF98310F00851AB998D7395E630E900CB92
                              Function 0177CA11 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86d6bf20e066faacf487e5299f8f63b83695aeb9755c08e3da396c40f1258cbd
                              • Instruction ID: e9ef060fb40ef8afccd86f6dffdb54ceecd0f931e5f9fe9000d713127cc1b452
                              • Opcode Fuzzy Hash: 86d6bf20e066faacf487e5299f8f63b83695aeb9755c08e3da396c40f1258cbd
                              • Instruction Fuzzy Hash: 6D1179B16083099FC710DF69C44595BFBE4FF99350F00851AB998D73A5E630E900CB92
                              Function 0170E016 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                              • Instruction ID: 346e1eef8774f2fb1dc5a59a3bcf4e71ee6e30ece56cbb8d6538b8d2d1c30d0c
                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                              • Instruction Fuzzy Hash: 2D011AB2200684DFE327D61DC948F26BBD8EB4A754F1908A1FA05CB6E1DB68DC40C665
                              Function 016E826B Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7bc7ef2a35453d8d55374348b139868460352aa2f736db1c2cb8f8a2c3219cf7
                              • Instruction ID: a7bd51f80a144661231664237339320774618ae7a8c43182de3399a47bf0e854
                              • Opcode Fuzzy Hash: 7bc7ef2a35453d8d55374348b139868460352aa2f736db1c2cb8f8a2c3219cf7
                              • Instruction Fuzzy Hash: 1A018F317015059FDB14EB69DC089BBBBEDEF94620F5581699902AB748EE20DD02C7D0
                              Function 0179EB50 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 732243fbc113c0d278d021ca72a15191d73f66bcec048988fcca2f7d3a3df1a1
                              • Instruction ID: 9b41ce0281171d3be12c4500ed4d1cccc5cc259edc1b24b28fe1d546f51be684
                              • Opcode Fuzzy Hash: 732243fbc113c0d278d021ca72a15191d73f66bcec048988fcca2f7d3a3df1a1
                              • Instruction Fuzzy Hash: C901A271284701AFD7329B19E848F02FBE8EF59B60F11442AB2069F395DAB198808B94
                              Function 016F2582 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 684958319f090c6552e1c4ccd0b9788a4d670fda6365798a0c38c90cf8fa0df7
                              • Instruction ID: e2868778602955342b5574ed0f717ef8c37c2c607c142686fd9da5db7e21ce5c
                              • Opcode Fuzzy Hash: 684958319f090c6552e1c4ccd0b9788a4d670fda6365798a0c38c90cf8fa0df7
                              • Instruction Fuzzy Hash: 36F0A433641B21BBC732DB5A8D54F57FAAAEB84A90F15842DE70697640DA34ED01CEA0
                              Function 0171C073 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                              • Instruction ID: 663f370cd711b9fc07bdbde15e239f7a4070df16d7cd3788e0048de46e475c24
                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                              • Instruction Fuzzy Hash: 50F0C2B2600A15ABD325CF8DDC40E57FBEADBD5A80F048168A645CB224EA31DD04CB90
                              Function 017C634F Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7aecb5e8871176779328351cf3e35654e44d90de9abb6e281d54d0cc001e167
                              • Instruction ID: ad2a53179d205fade30b2602e42ac72a26e018dc1936a937ba9858becceddfc1
                              • Opcode Fuzzy Hash: c7aecb5e8871176779328351cf3e35654e44d90de9abb6e281d54d0cc001e167
                              • Instruction Fuzzy Hash: 23014471A10209EFDB04DFA9D5559AEF7F8FF58704F10405AF905E7351D674DA018BA0
                              Function 016EC310 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                              • Instruction ID: a4e7b50c315d7a694dcfe337f61e365cb5ebc2f36bc526c83f2af10a2b42011d
                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                              • Instruction Fuzzy Hash: 4CF0FC33246A239BD732165D4C48B2BA5D69FD1A64F190235E215DB344CA718D0356D0
                              Function 017C625D Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb22be11a6c0c586efd863ae546faa3d18695c8cb8e0f59f245dfb15a09b4a6e
                              • Instruction ID: c4577608dc45b9e2d85daefbf1023758916d2b8eafda93a6d2c58be3a2eab91f
                              • Opcode Fuzzy Hash: cb22be11a6c0c586efd863ae546faa3d18695c8cb8e0f59f245dfb15a09b4a6e
                              • Instruction Fuzzy Hash: 3E017171A0020AEFCB04DFA9D4459AEF7F8EF58700F10405AF901E7351D674D9008BA0
                              Function 017C62D6 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50042c2faabaf23c84727962793949f0b0c33a2f3a6de524f4e35ee64f977be5
                              • Instruction ID: 7c81b98b6dd6af248bde5b75041358c331167771902d272565829aa4e11618de
                              • Opcode Fuzzy Hash: 50042c2faabaf23c84727962793949f0b0c33a2f3a6de524f4e35ee64f977be5
                              • Instruction Fuzzy Hash: 40012171A00209EFDB04DFA9D5459AEFBF8EF58704F50405AF915E7391D67499018BA0
                              Function 0172CA6F Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                              • Instruction ID: c586e02c79ce80bd9aa1cbc1d3095445b0d76f60c876d806a77f17e6fd5a9443
                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                              • Instruction Fuzzy Hash: 8801DC32200785ABE7239A1DC809F59FFECEF61750F0840A5FE048B6A2DA78CA41C212
                              Function 017C61E5 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: baa615b7b1158915b6a18bd1e29db5e566087e892ac73c9958df8998449d14f3
                              • Instruction ID: 3712af8f51eea6de8da2cef0b3b410ee250c2e6e3ab1c11137e7abbfa9af0e5d
                              • Opcode Fuzzy Hash: baa615b7b1158915b6a18bd1e29db5e566087e892ac73c9958df8998449d14f3
                              • Instruction Fuzzy Hash: 9A012C71A002599BDB04DFA9D545AAEFBF8AF58710F14406AF501AB380D774EA01CB94
                              Function 017763C0 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                              • Instruction ID: ed4dd1e9d4cfb6076af16da28646940e721af499282568bbca91c44d953bfbcd
                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                              • Instruction Fuzzy Hash: 19F0127210011DBFEF029F94DD80DAFBB7EFB55298B104125FA1192164D631DD21A7A0
                              Function 0177A4B0 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7aae14c0f03ab28bf00e1e1d8b22978154b196a59c5f4cd0da6dcfc3c3ef387
                              • Instruction ID: 723f68ce56db59b2cb7d20ffad961f12278cb2ef3f7278a5a5cc1e505565f343
                              • Opcode Fuzzy Hash: b7aae14c0f03ab28bf00e1e1d8b22978154b196a59c5f4cd0da6dcfc3c3ef387
                              • Instruction Fuzzy Hash: C0018536100209ABDF129F84D840EDE7FA6FB4C664F0A8105FE18AA260C332D970EB81
                              Function 016EC0F0 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88adafaf8186dd1a1e7bc662a32deb0dac0857d79d06fe7eefa45bb7b7f994fd
                              • Instruction ID: 69d8e04750a9a4141b54d498f377b1b682b54a66ce855c852064a85d3e1303f5
                              • Opcode Fuzzy Hash: 88adafaf8186dd1a1e7bc662a32deb0dac0857d79d06fe7eefa45bb7b7f994fd
                              • Instruction Fuzzy Hash: 71F024712452415BF3249A1D8C19BB332D6E7E4B52F65806EEB058B3C1EE71DC0287A4
                              Function 0172656A Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a57b9001f93072ea310420e052d1262e7e3a66c98647416afd3597ee6556d60f
                              • Instruction ID: 161fd2b1916a2485fded3f32c608cc54e9abc9fdd4e956abe0a07b215ca59628
                              • Opcode Fuzzy Hash: a57b9001f93072ea310420e052d1262e7e3a66c98647416afd3597ee6556d60f
                              • Instruction Fuzzy Hash: 15018170200685DFE323972DCD48F25B7E8AB54B04F684191FE019B6D6D728D4828210
                              Function 0179437C Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                              • Instruction ID: 89352c2f25bbbbbac2f526683c8f6003ec3c6324df56fd8016ad74c99c2699bd
                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                              • Instruction Fuzzy Hash: C8F0E931341A1347EF36AA3EA514B2AEA959FD0A01B05452C9947EB684DF60DC068780
                              Function 0177E872 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                              • Instruction ID: 643dbd9dfe58e9973f5e925b3f8e269e5e137fe0c2ad834a8c87c240a8edfb76
                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                              • Instruction Fuzzy Hash: 8FF05E32791A129FEB219A4ECC80F16F7A8AFD5A60F1914B5A6149B2A4CB60EC4187D0
                              Function 0177C89D Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a50ce69d149f557c2bec2a5cc2ac72887b26a48d08c9a68bc545bb8ebcfbd32e
                              • Instruction ID: 5192009b528afcd4aa10035b83a7ac929da91b3a90b605621ff43f850db84555
                              • Opcode Fuzzy Hash: a50ce69d149f557c2bec2a5cc2ac72887b26a48d08c9a68bc545bb8ebcfbd32e
                              • Instruction Fuzzy Hash: A8F0AF706053459FC714EF28C546A1BFBE4FF98710F40465AB898DB395E638E900C796
                              Function 01720854 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                              • Instruction ID: c1237bf0a6ab83989cbba8e870e41f2f96d7f476a3454d2f7ab62ac63599dbb8
                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                              • Instruction Fuzzy Hash: EEF0B472650204EFE714DB25CC05F57B7E9EF98344F148078E945D72A4FAB0DD11D664
                              Function 0177C912 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac7ee11af67f096e82b3fa51a123f99ed957923901fda39fe2207862f3d50791
                              • Instruction ID: 6af42a463ebd22a705936ddbabb0f13b406bc6ac99b90f52259e10bacfcec35f
                              • Opcode Fuzzy Hash: ac7ee11af67f096e82b3fa51a123f99ed957923901fda39fe2207862f3d50791
                              • Instruction Fuzzy Hash: 5AF04F70A0124AEFCB14EF69D515A6EF7F4EF58300F008055B955EB385DA38EA01CB50
                              Function 016F47FB Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b05bc4eaa0de68721f588e3d79f53a1de02013ccb8fa2f8f68e940bf0031397a
                              • Instruction ID: 84d7af1db819f26fe95e1102ad87fe0ec23e9395d422dc77c40d5813e15d8bdd
                              • Opcode Fuzzy Hash: b05bc4eaa0de68721f588e3d79f53a1de02013ccb8fa2f8f68e940bf0031397a
                              • Instruction Fuzzy Hash: 7EF0F0319022D08EE7228B1CCC04B73BBC49B00A30F0A486EC76A83A02CF24D880C640
                              Function 017B0115 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1dfa80fcd95629a2afb45951b393efbbf98ae15474b7158e26ecdafa402cf208
                              • Instruction ID: 502afaaeee2fb19718a50e09b55d4321a72b146c70edc458944acac38be46170
                              • Opcode Fuzzy Hash: 1dfa80fcd95629a2afb45951b393efbbf98ae15474b7158e26ecdafa402cf208
                              • Instruction Fuzzy Hash: B3F0276641A6880ACB366B2C64D83DEEBF5A7A9130F495489F4A05B20AC6788883C720
                              Function 0172C5ED Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9186af89570c5ee83e0cd3564e8418b7adce580777ffa872946aba21b525dbde
                              • Instruction ID: f7653268b651ba392ba83a7d3a52e1dca048ca71f48407d6e8c5bf9f0781fdc6
                              • Opcode Fuzzy Hash: 9186af89570c5ee83e0cd3564e8418b7adce580777ffa872946aba21b525dbde
                              • Instruction Fuzzy Hash: AEF052714012718FE3339B1CC008B2AFBD49B20BA0F08A469C40283602C3B0E882CA61
                              Function 01732619 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                              • Instruction ID: 55969ca7951c0b8e109be51550e34e430a716de14404d8f158209818128ec029
                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                              • Instruction Fuzzy Hash: 41E0D8723006016BE7129E598CC8F47F7AEDFD6B10F04007DB6045F297C9E2DC0986A4
                              Function 01786030 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                              • Instruction ID: 4a426556d184f18b4f8c812a01c6ea122441da7e75216b8d9ef3bc202923e5bd
                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                              • Instruction Fuzzy Hash: A1F03072144204EFE3219F09D944F62F7F9EB05364F45C065F6099B561D37AEC41CBA8
                              Function 016F0710 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                              • Instruction ID: 0d4f779032758ab5050d88b824669139c81206a01a87cd47b90f4c8f12fd8561
                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                              • Instruction Fuzzy Hash: 7BF0ED3A204741DFEB16CF19C440AA9BBE9FB59360B000099F9428B342EB35E982CB94
                              Function 017249D0 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                              • Instruction ID: 5d88bc8358f7d3ce1452b7e99b40be962a0b6876a9ff737aa541e8766a6a87f8
                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                              • Instruction Fuzzy Hash: 05E0D832244255ABD3215A698808B6AF7B5EBD47A0F150429E2428B150DBB0DD42C7D8
                              Function 017C4164 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7e55cc33a216f4dfb77183fb75ef59e6a3f7c069106b175c31bbb7496343bb9
                              • Instruction ID: 9244b325b5d79673b50509fd7d773ac6b4942d77962a99a743b5a9422f2b3119
                              • Opcode Fuzzy Hash: d7e55cc33a216f4dfb77183fb75ef59e6a3f7c069106b175c31bbb7496343bb9
                              • Instruction Fuzzy Hash: 48F0E531A256918FE772D72CD964B52F7E1ABA0F30F4A055CD48287912C320DC40C650
                              Function 0179678E Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                              • Instruction ID: fc127823431c326945bbc1233cb35e46c707beec454139a6c90d910f9c42c446
                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                              • Instruction Fuzzy Hash: 41E0DF32A40224FBDF2297998D09F9AFEACDB94EA0F050054B601EB1D4E530DE04D690
                              Function 017C08C0 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                              • Instruction ID: 7f68c6666e34a8489ac90644b2606d92d2b591f33af4cb36c75f38787f3b4b58
                              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                              • Instruction Fuzzy Hash: EBE06535680350CFCB258A19C140A53F7E8DFA5B60F15C0ADE90547616C231E842C6D0
                              Function 016F25E0 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c57b196c18feee6a7b993703be5f0c0719b628546b37e24b61fbb51f208d684c
                              • Instruction ID: e43f4c8e048aa2aaf878b504d7a8b1981a5a3e8e62c7ce15c7fb2c630ed1d00c
                              • Opcode Fuzzy Hash: c57b196c18feee6a7b993703be5f0c0719b628546b37e24b61fbb51f208d684c
                              • Instruction Fuzzy Hash: A4E09272100A549BC722BB29DD05F8BB7DAEBA4374F01451DB125571D1CB30A810CB88
                              Function 017AA456 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                              • Instruction ID: 7f006b405554c3da46c67859bbaf5e672e4cae1aefe74b9efeaa606df73681ce
                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                              • Instruction Fuzzy Hash: 1CE06531010A12DFE7366B2AC80CB52FAE0AFA0711F288C28A09A024B4C7B598C1CB80
                              Function 01774000 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                              • Instruction ID: 7c7e6d320d97eaa3b0858e0219b05937e4fde017d15d5cea080d5a6d71964659
                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                              • Instruction Fuzzy Hash: 87E0C2343003058FEB16CF19C040B66BBB6BFD5A10F28C0A8A9498F205EB32E842CB40
                              Function 0172CA38 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 455921b8a4b84685bad369080a1d749de3fe010b39b62074e8ae7f931b52713a
                              • Instruction ID: 3047bb8faa858ced3afe0c7596372ac1486059bd1d73f96d433559bbb016ef56
                              • Opcode Fuzzy Hash: 455921b8a4b84685bad369080a1d749de3fe010b39b62074e8ae7f931b52713a
                              • Instruction Fuzzy Hash: 0FD02B32985030AACF37E1197C08FD7BAED9B64360F018860F20896015D524CD8286C4
                              Function 016E823B Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                              • Instruction ID: 5142aa548dadd09a05ab12231d467d08586510553daff0626eeeb4c8619df871
                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                              • Instruction Fuzzy Hash: 9EE0CD31041A10DFD7322F15DC08F51F6E5FFD4B10F208919E041070A987709C83DB84
                              Function 016F2050 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cebda8ae7e828ebe1b376049c03d142ed77e08dcbdb978465463199ad589aea5
                              • Instruction ID: a9fe22ef6d2c5258a3045a36f22d8e394b626c85bcca43075e70a52febdcecc1
                              • Opcode Fuzzy Hash: cebda8ae7e828ebe1b376049c03d142ed77e08dcbdb978465463199ad589aea5
                              • Instruction Fuzzy Hash: FEE08C32201560ABC612FA5DDD10E4A73DAEBA4270F004129B2608B6D4CA20AC00CB98
                              Function 01746AA4 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                              • Instruction ID: e90e61fcf245bd2939559861b8609dce793842f002a30fed613bbc932d6cb25a
                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                              • Instruction Fuzzy Hash: 72D05E36511E50EFC3329F1BEA04C13FBF9FBC5B107050A2EA54583A24C770A806CBA0
                              Function 0172E59C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                              • Instruction ID: 52bbae0938ec28eb3ebb1f06230cfe6f03435f1c2fa8c990fc682d437d9fd57f
                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                              • Instruction Fuzzy Hash: 9DD0A932208A20AFD732AA1CFC04FC3B3E8BB88B24F060859B018C7090C360AC81CA84
                              Function 0176E908 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                              • Instruction ID: 25498d068caa2e9dd73090b538dca15ec60872af79daf308cc5d791e628dc220
                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                              • Instruction Fuzzy Hash: A0E0EC359507849FDF12EF59CA44F5AFBF9BF94B40F160458A5185B660CA35A900CB50
                              Function 016EA0E3 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                              • Instruction ID: 8de78621c137512adbeb1aa85efa29f6667c06690c27755ab2cdaeadbf289029
                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                              • Instruction Fuzzy Hash: 79D0223221303097CB2956956C08FA3AD85AF80A98F1A012C340AD3940C1048C43C2E0
                              Function 0172A830 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                              • Instruction ID: d17b29197e954e34aaad8d895cd3a660d37cc2be51bd82c8da57c99a80ac0ca4
                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                              • Instruction Fuzzy Hash: 4CD012371D064DFBCB129F66DC01F957BA9E764BA0F444420B514C75E0C63AE950D584
                              Function 0172CA24 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd903727c64a7d9fe19cdb9fd115cf011f6e66eeaa15c3c8dfa39121c6a7dabe
                              • Instruction ID: 37b519d2ae00cc7579999ee24dd8eda1a61b92ece566a60d5ece7bc9010bf9a4
                              • Opcode Fuzzy Hash: dd903727c64a7d9fe19cdb9fd115cf011f6e66eeaa15c3c8dfa39121c6a7dabe
                              • Instruction Fuzzy Hash: 17D05230612612CBDF2BCF08CA10A3EBAB8FB24640B4000A8EA4092020E328D9028A00
                              Function 017002A0 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                              • Instruction ID: 359feb73d459c1844b072cdc4dcee5e4dc7a678e0c7e57d2e0f0ea9e711698b4
                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                              • Instruction Fuzzy Hash: 88D0C935216E80CFD71BCB0CC5A4B15B3E4BB84B94F8104D0F402CBB62E67CD980CA00
                              Function 0172C700 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                              • Instruction ID: caa9a6b2b41f2df6ff3b55381d5afa3d201c52e17971bf19d0d0eb3974b7142a
                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                              • Instruction Fuzzy Hash: 16C01232150644AFC7129A95CD01F0277A9E798B40F000421F204875B0C531E810D644
                              Function 01710310 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                              • Instruction ID: 5b65031d907d07d6b95eea760d6dbee382c859a78a073ca70c9787d3e05cd655
                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                              • Instruction Fuzzy Hash: 74D01236100248EFCB01DF45C890D9AB73AFBD8710F108019FD190B6148A31ED62DA50
                              Function 016F0750 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                              • Instruction ID: 9bdfe545175974631701336be01981ef430baf8329cbfab588da8db76192efd2
                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                              • Instruction Fuzzy Hash: 9FC04879B01A42CFCF16DB2AD298F49B7E4FB54750F150890E845CBB22EB28E841CA10
                              Function 01734340 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 134cda6a40de181e8edcb48d0bdc5c93663e7ae036543a9e7267a5e3712267f8
                              • Instruction ID: 8798707643c7b42655aa53d497e214459f18b270e91e8214728c21a2012ef4ef
                              • Opcode Fuzzy Hash: 134cda6a40de181e8edcb48d0bdc5c93663e7ae036543a9e7267a5e3712267f8
                              • Instruction Fuzzy Hash: 28900231709804139240719848845468005A7E0301B55C021E0424564CCB548B565362
                              Function 01734650 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5218f83d098762474b22974d8a4248f076f6300a657b473486d449bc4c0ed3a6
                              • Instruction ID: fdf864d0a81d347a01b21dfabccc06765b898dd9a2bfa2a18ac6402d68b68162
                              • Opcode Fuzzy Hash: 5218f83d098762474b22974d8a4248f076f6300a657b473486d449bc4c0ed3a6
                              • Instruction Fuzzy Hash: 2D90026170550443424071984804406A005A7E1301395C125A0554570CC7588A55936A
                              Function 01732B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30fe9fa3057a1ab11b05288b90a44049a4452e8bf74bc80c59f62953e37780e1
                              • Instruction ID: 66651c93887bdf486f614ccb12b9ac58611b3f542d913834f60ecb22a9c19bb3
                              • Opcode Fuzzy Hash: 30fe9fa3057a1ab11b05288b90a44049a4452e8bf74bc80c59f62953e37780e1
                              • Instruction Fuzzy Hash: 6190026130640403420571984414616800A97E0201B55C031E10145A0DC7658A916226
                              Function 01732BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1c5f11c8b0974b878c7e07bf17ececc049cc7b44e835df2862358e7eadf103e
                              • Instruction ID: 42712d18fbccb9472dbc8911a36422d39e846fe8e30747f9ded3fd465f72d85d
                              • Opcode Fuzzy Hash: a1c5f11c8b0974b878c7e07bf17ececc049cc7b44e835df2862358e7eadf103e
                              • Instruction Fuzzy Hash: 5190023130540C03D2807198440464A400597D1301F95C025A0025664DCB558B5977A2
                              Function 01732BE0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38aa3a4bdcb1824a612af1bd5d6f7f7fc539c8d595846b661c314fe4453fdae8
                              • Instruction ID: 5cbf07320e933d4d262521e8e7e89985d9ea80a219ba2b9eef93b5315dd2aa53
                              • Opcode Fuzzy Hash: 38aa3a4bdcb1824a612af1bd5d6f7f7fc539c8d595846b661c314fe4453fdae8
                              • Instruction Fuzzy Hash: 1890023130944C43D24071984404A46401597D0305F55C021A00646A4DD7658F55B762
                              Function 01732BA0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e913b8f9122e8e84f7a8bd9de87f8534f09323c56300d414f561adb0fb3b5cc
                              • Instruction ID: e4aa0cb9b761b5b9d5b355ac616203d1f42cbd9b05abd98baf7f669c58691020
                              • Opcode Fuzzy Hash: 8e913b8f9122e8e84f7a8bd9de87f8534f09323c56300d414f561adb0fb3b5cc
                              • Instruction Fuzzy Hash: 2190023170940C03D25071984414746400597D0301F55C021A0024664DC7958B5577A2
                              Function 01732B80 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d69939254d6e2a8c4ed137f32cb9232dc3c3011dc8ebd65974509353ad21602d
                              • Instruction ID: 73c1cd8a49ddcfd301b39c785ae41b2989f21dcf5af40fd738ae16eac9752e90
                              • Opcode Fuzzy Hash: d69939254d6e2a8c4ed137f32cb9232dc3c3011dc8ebd65974509353ad21602d
                              • Instruction Fuzzy Hash: 7190023130540C03D20471984804686400597D0301F55C021A6024665ED7A58A917232
                              Function 01732AF0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43ac25413dc7ca2e1b2ee6e145b52d023ede80a73b14173546f0b8c6c511a2ea
                              • Instruction ID: 7ab940de883db85e2d8324094acd5fb9ecf431224370f0e2a45abcb9ffe9311c
                              • Opcode Fuzzy Hash: 43ac25413dc7ca2e1b2ee6e145b52d023ede80a73b14173546f0b8c6c511a2ea
                              • Instruction Fuzzy Hash: 79900225325404030245B598060450B4445A7D6351395C025F14165A0CC7618A655322
                              Function 01732AD0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5d267ee1f85d2a5522936791a375217fd63e1cb17de84d8eac9622b1913f62d
                              • Instruction ID: 80473d3f29e3551b6abbfce62da5be016029105f724490dfa90202c1e1ec276f
                              • Opcode Fuzzy Hash: b5d267ee1f85d2a5522936791a375217fd63e1cb17de84d8eac9622b1913f62d
                              • Instruction Fuzzy Hash: 49900435315404030305F5DC07045074047D7D5351355C031F1015570CD771CF715333
                              Function 01732AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb915658490ec08e4000ce7ea85ef54ca454e55d4adb5e64077d97e183f0a0e7
                              • Instruction ID: 6a3475a5bb8c432ea2b6bdceb25cfbbed119fddd60e9d458c76f7f813c82eaad
                              • Opcode Fuzzy Hash: bb915658490ec08e4000ce7ea85ef54ca454e55d4adb5e64077d97e183f0a0e7
                              • Instruction Fuzzy Hash: 929002A1305544934600B2988404B0A850597E0201B55C026E1054570CC7658A519236
                              Function 01732D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21ff08cc0e80ba332e7e7d03f8c8b2d4901d2434e7a5900f2310c36ef8aa9595
                              • Instruction ID: 57aa987bbf47603a59b83fecf7d0e8168237cd5eec5bae183150263b55a31cae
                              • Opcode Fuzzy Hash: 21ff08cc0e80ba332e7e7d03f8c8b2d4901d2434e7a5900f2310c36ef8aa9595
                              • Instruction Fuzzy Hash: D890022130540403D240719854186068005E7E1301F55D021E0414564CDB558A565323
                              Function 01732D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d052119f61be0359536c01f987cdb27a647de4c42e75c8285098b732c50f791
                              • Instruction ID: fe6d9371d7816429e3ab1d2327c71523ad276d4e0d4958bf4ca387141f8cd721
                              • Opcode Fuzzy Hash: 2d052119f61be0359536c01f987cdb27a647de4c42e75c8285098b732c50f791
                              • Instruction Fuzzy Hash: 1690022931740403D2807198540860A400597D1202F95D425A0015568CCB558A695322
                              Function 01732D00 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b9f49bcf44cb576d9308313c19780b9893234a5c9385a28ccdb76669f22bd28
                              • Instruction ID: db69a0ebb3e6fb1aed251f64a2a8701c8b645540ce12fe0c51f58b6428a42d73
                              • Opcode Fuzzy Hash: 1b9f49bcf44cb576d9308313c19780b9893234a5c9385a28ccdb76669f22bd28
                              • Instruction Fuzzy Hash: 4090022130944843D20075985408A06400597D0205F55D021A10645A5DC7758A51A232
                              Function 01732DD0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43cedac7ffac78ece00f62e6b0f607f4634389c7b7deb5744068007fae6222ba
                              • Instruction ID: 0eeb764e23adb31f8df3f27169cb33e5edba45e13c467d86724a6b513537d993
                              • Opcode Fuzzy Hash: 43cedac7ffac78ece00f62e6b0f607f4634389c7b7deb5744068007fae6222ba
                              • Instruction Fuzzy Hash: 56900221346445535645B19844045078006A7E0241795C022A1414960CC7669A56D722
                              Function 01732DB0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1bf8fd0c6745844e8d56b2ef3a140511e440b06dae1f44a6f3b622f2321f82b
                              • Instruction ID: b803a1720fef86634fc99d308e11a915e55cf029862ddeb57aa2e1a8b2422dab
                              • Opcode Fuzzy Hash: e1bf8fd0c6745844e8d56b2ef3a140511e440b06dae1f44a6f3b622f2321f82b
                              • Instruction Fuzzy Hash: 0790023134540803D241719844046064009A7D0241F95C022A0424564EC7958B56AB62
                              Function 01732C60 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 066c8f22bbc4baea0bb3b3ec86f7453022dd7d4577e09d32753768db8dfc27b3
                              • Instruction ID: d76a1a8da3c719f67c8f6e1b3e4b86ff13c981ae0d736e18793479f27831e899
                              • Opcode Fuzzy Hash: 066c8f22bbc4baea0bb3b3ec86f7453022dd7d4577e09d32753768db8dfc27b3
                              • Instruction Fuzzy Hash: AA90023130540C43D20071984404B46400597E0301F55C026A0124664DC755CA517622
                              Function 01732CF0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bc58cb3150a27fca3051bde13f70cd2acead8c957c9f384748767d6e28ff943
                              • Instruction ID: 0d141389eadc913e4e0f9c0bc6235d7e5f7638cbb11b49a3ed63dfda429c22c8
                              • Opcode Fuzzy Hash: 1bc58cb3150a27fca3051bde13f70cd2acead8c957c9f384748767d6e28ff943
                              • Instruction Fuzzy Hash: EE90023130540803D20071985508707400597D0201F55D421A0424568DD7968A516222
                              Function 01732CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b702442ed5c13137595527b5bf22f13d9f4f49e0ef3dc9554fce9ae552e7f798
                              • Instruction ID: 9f45c914eaae3bb91d335adc468eed69ae7cc6069cdc7e3fda4e55ff87063507
                              • Opcode Fuzzy Hash: b702442ed5c13137595527b5bf22f13d9f4f49e0ef3dc9554fce9ae552e7f798
                              • Instruction Fuzzy Hash: F490022170940803D24071985418706401597D0201F55D021A0024564DC7998B5567A2
                              Function 01732CA0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 469c2a0cbd00e589495a16c66909cbb5806a13ff1443677b26ebd6d3bfc2e2a6
                              • Instruction ID: e8cf37417e27529ae8ccfd2439a8d6de6100c2c114baaa393dd8fcd83468a6d6
                              • Opcode Fuzzy Hash: 469c2a0cbd00e589495a16c66909cbb5806a13ff1443677b26ebd6d3bfc2e2a6
                              • Instruction Fuzzy Hash: C190023130540803D20075D85408646400597E0301F55D021A5024565EC7A58A916232
                              Function 01732F60 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1467d48e27021afc3556ef2c30cdcfbe60f1c4944e05df9889dcf44852d6d45d
                              • Instruction ID: 3fc60f8eb5db5b0950db82fdd3fe9b4422182f67438a47535e52e0fad637511b
                              • Opcode Fuzzy Hash: 1467d48e27021afc3556ef2c30cdcfbe60f1c4944e05df9889dcf44852d6d45d
                              • Instruction Fuzzy Hash: 1990026131540443D20471984404706404597E1201F55C022A2154564CC7698E615226
                              Function 01732F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1198656db12a40955e6c71a2602a5664c6c06608250fe6745d44c3ec92e4cb30
                              • Instruction ID: 29f5177e9ffa6143f6cf90b696cff609f0a3708b512150e8dd1a35b2fa414f70
                              • Opcode Fuzzy Hash: 1198656db12a40955e6c71a2602a5664c6c06608250fe6745d44c3ec92e4cb30
                              • Instruction Fuzzy Hash: 6C90026134540843D20071984414B064005D7E1301F55C025E1064564DC759CE526227
                              Function 01732FE0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7970d94e705fd22945eb9fb726dbe981038814a8ac788960bb8a114eb412982f
                              • Instruction ID: 90de6ef73de192c5aae0fe33eeb7a4103ba32579352231cda8c6cd4d6660067c
                              • Opcode Fuzzy Hash: 7970d94e705fd22945eb9fb726dbe981038814a8ac788960bb8a114eb412982f
                              • Instruction Fuzzy Hash: 81900221315C0443D30075A84C14B07400597D0303F55C125A0154564CCB558A615622
                              Function 01732FB0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4514e39209063d66d81f1228c4a2532682a2db880102cbca80af411f7a753663
                              • Instruction ID: 545ff41f2926fe082e6de84647d94539ce6d7d1232b996b8b8e4e4b16d4a8b91
                              • Opcode Fuzzy Hash: 4514e39209063d66d81f1228c4a2532682a2db880102cbca80af411f7a753663
                              • Instruction Fuzzy Hash: 9090022170540443424071A888449068005BBE1211755C131A0998560DC7998A655766
                              Function 01732FA0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64a4dfa7b38c03e5c746f39e77af33c78a8dc610abfd48a3c6cd82acd62610cd
                              • Instruction ID: d66848de1e971a683feb7b5bc4928a3f43a650a82f27e8e33e25fa0c23e49eab
                              • Opcode Fuzzy Hash: 64a4dfa7b38c03e5c746f39e77af33c78a8dc610abfd48a3c6cd82acd62610cd
                              • Instruction Fuzzy Hash: B990023130580803D20071984808747400597D0302F55C021A5164565EC7A5CA916632
                              Function 01732F90 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bee44b7823489ece716e34ae1cff7ee1d7233628267f043da8244ad6913e7933
                              • Instruction ID: 52010935e9b89d050361ea3c8582d5550d294cd9162f7b519de89b0dd6fd334a
                              • Opcode Fuzzy Hash: bee44b7823489ece716e34ae1cff7ee1d7233628267f043da8244ad6913e7933
                              • Instruction Fuzzy Hash: 4B90023130580803D2007198481470B400597D0302F55C021A1164565DC7658A516672
                              Function 01732E30 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 393b4300960c4fbc1b0afaffad095e2af09c491ef4673d0a6f863ac0c3190037
                              • Instruction ID: b7ce53f738e841fffc7e9f4ceed81ad4acb77b9a60dfedd03cffbe85b2a9f596
                              • Opcode Fuzzy Hash: 393b4300960c4fbc1b0afaffad095e2af09c491ef4673d0a6f863ac0c3190037
                              • Instruction Fuzzy Hash: C090022130540803D202719844146064009D7D1345F95C022E1424565DC7658B53A233
                              Function 01732EE0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2fa1da1e8bc68de06314b07aa1813c74e419ef32484c7b506e63656be415802
                              • Instruction ID: 9bf6b7026c5b8d8cb944928ce6313f05f0ddba2f44ab8512efe4b5a3062151b3
                              • Opcode Fuzzy Hash: d2fa1da1e8bc68de06314b07aa1813c74e419ef32484c7b506e63656be415802
                              • Instruction Fuzzy Hash: AC90026130580803D24075984804607400597D0302F55C021A2064565ECB698E516236
                              Function 01732EA0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1682dde9804cd215d061ee58b5b97850a3a8a0e9e46333abb358c0acf1a1dae1
                              • Instruction ID: a6e3f4cf5dcf63cd5b34932f8c26289d7f12e208fbd55d4068d06746381b6e47
                              • Opcode Fuzzy Hash: 1682dde9804cd215d061ee58b5b97850a3a8a0e9e46333abb358c0acf1a1dae1
                              • Instruction Fuzzy Hash: 6190027130540803D24071984404746400597D0301F55C021A5064564EC7998FD56766
                              Function 01732E80 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e9ef53fe902c7f5e61712ee44ac71fcf3503c1068c0c934bf9a97f78671b32c4
                              • Instruction ID: e45309f6609a2e8a0f8f384f534b45902e3be6cc4d0cb8e36f7020ed73055c68
                              • Opcode Fuzzy Hash: e9ef53fe902c7f5e61712ee44ac71fcf3503c1068c0c934bf9a97f78671b32c4
                              • Instruction Fuzzy Hash: 9990022170540903D20171984404616400A97D0241F95C032A1024565ECB658B92A232
                              Function 01733010 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d2a63453ab0733ca45ccf01b571e5bdefd7d86dcf583200b87d2f4e869b2e42
                              • Instruction ID: a6b7df6a162bfb1cd599564be90253b2029cb61a0545d6115f8b7fd5e784cf39
                              • Opcode Fuzzy Hash: 8d2a63453ab0733ca45ccf01b571e5bdefd7d86dcf583200b87d2f4e869b2e42
                              • Instruction Fuzzy Hash: D790022130584843D24072984804B0F810597E1202F95C029A4156564CCB558A555722
                              Function 01733090 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a36f872f034ce688d36c1c08f3a01c55c4f54de8bda724e75ec6f7703fae314
                              • Instruction ID: 68a9348bafb78aaa6edbbf5d443095747edebd1934b5d1813c92ffa5eaac0b92
                              • Opcode Fuzzy Hash: 6a36f872f034ce688d36c1c08f3a01c55c4f54de8bda724e75ec6f7703fae314
                              • Instruction Fuzzy Hash: B590022134540C03D240719884147074006D7D0601F55C021A0024564DC7568B6567B2
                              Function 017339B0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0e8bbab788ea23d0f4d0482305ac9163b2445c3976e4c78a97bb6b815ebfc80
                              • Instruction ID: cc859965ede34ad54d3ba30571b2d0bb7e1207a35c08457ec92c8fb17affa12b
                              • Opcode Fuzzy Hash: f0e8bbab788ea23d0f4d0482305ac9163b2445c3976e4c78a97bb6b815ebfc80
                              • Instruction Fuzzy Hash: 1B90022134945503D250719C44046168005B7E0201F55C031A08145A4DC7958A556322
                              Function 01733D70 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 705be1b08604acf62a251022c3cef34240be93015d05b190e8fea8c61e08e59b
                              • Instruction ID: 8699034c206e007c5cfc7120cdfaafcb607461e99e245ea48b0f82990b92f29f
                              • Opcode Fuzzy Hash: 705be1b08604acf62a251022c3cef34240be93015d05b190e8fea8c61e08e59b
                              • Instruction Fuzzy Hash: 3590023530540803D61071985804646404697D0301F55D421A0424568DC7948AA1A222
                              Function 01733D10 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b3ee4e8beadda77bc035d228b08f9e75320a723317a7d129448e08eb8e7ddbb
                              • Instruction ID: b1e9fe7396c79fadaa418fe8a34e5798afd44c5ba45d1148fafc308abbf5f412
                              • Opcode Fuzzy Hash: 4b3ee4e8beadda77bc035d228b08f9e75320a723317a7d129448e08eb8e7ddbb
                              • Instruction Fuzzy Hash: B490023130640543964072985804A4E810597E1302B95D425A0015564CCB548A615322
                              Function 0040AD20 Relevance: .0, Instructions: 3COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2391928642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b321c98d22beb57292bd23e2afca9873836200869944c03403241b01ebef6b2e
                              • Instruction ID: c08db954ce700782ac5ec97d103e544f6dd908508358fbafc631fab0ef8ddf2f
                              • Opcode Fuzzy Hash: b321c98d22beb57292bd23e2afca9873836200869944c03403241b01ebef6b2e
                              • Instruction Fuzzy Hash: 9BA00271408604DAF6194AA0C105068F3F1AE1130AF2004AED891574509B3A1432DB47
                              Function 01732C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                              • Instruction ID: 5458fe5c3d6cad9078ebc9290404c2c1861b7dd742c6542a5fa5b47624fc5926
                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                              • Instruction Fuzzy Hash:
                              Function 01732890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                              • API String ID: 48624451-2108815105
                              • Opcode ID: de894b348065f53fbcefb21d01e061253cb557ba8caeb3545d987f253463647b
                              • Instruction ID: 800a3a6db390d63e7dc68dbaedeffff0ec81f123a197ee87a42785880f46aaa9
                              • Opcode Fuzzy Hash: de894b348065f53fbcefb21d01e061253cb557ba8caeb3545d987f253463647b
                              • Instruction Fuzzy Hash: 5351D6B6A00156BFDB11DF9C8C909BEFBB8BB882407148269F565E7647D734DE408BA0
                              Function 017A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                              • API String ID: 48624451-2108815105
                              • Opcode ID: 157b9dc095430a5ff4c791e3294f3a26b30fe20a8e78c77b0a1fb278028234b7
                              • Instruction ID: b6379ad8e97c1cd207f514ce8f07b59e60b90a74dc772aff0ac3331935a74a9a
                              • Opcode Fuzzy Hash: 157b9dc095430a5ff4c791e3294f3a26b30fe20a8e78c77b0a1fb278028234b7
                              • Instruction Fuzzy Hash: 1E51F671A04645AFCB30DF5CCC9097FF7F9EB84200B948599E5D6C7642E674DE008760
                              Function 01727630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                              Download Yara Rule
                              Strings
                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01764725
                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01764787
                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017646FC
                              • ExecuteOptions, xrefs: 017646A0
                              • Execute=1, xrefs: 01764713
                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01764742
                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01764655
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                              • API String ID: 0-484625025
                              • Opcode ID: 2158142b80671288d29040f5da06b1323456a40f4a03a15e320a6e6450c2695f
                              • Instruction ID: e96d767a8b899907ae2f00463144b6b81c3558902b63ad021ea2d5a86a67b199
                              • Opcode Fuzzy Hash: 2158142b80671288d29040f5da06b1323456a40f4a03a15e320a6e6450c2695f
                              • Instruction Fuzzy Hash: 8F511E31A0022A7AEF25EB69DD89FBDF7A8EF25300F1400DDD606A7191D7719E468F50
                              Function 017C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                              • Instruction ID: 869800d9bda20fdbcdfa5e371340e86cb3078559a8fed1f2dea73da7bd3756aa
                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                              • Instruction Fuzzy Hash: C9020471508342AFD709CF28C494A6BFBE5EFD8B00F14892DFA854B265DB31E945CB52
                              Function 0173B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: __aulldvrm
                              • String ID: +$-$0$0
                              • API String ID: 1302938615-699404926
                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                              • Instruction ID: 9d5b9c08e7ab78790076128a947d3fd3bbc88ec4af0ab4bfc323abb46e3c7724
                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                              • Instruction Fuzzy Hash: DA819070E452499EEF2A8E6CC8917FEFBB1EFC5320F18415AD861A7293C7349941CB51
                              Function 017A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: %%%u$[$]:%u
                              • API String ID: 48624451-2819853543
                              • Opcode ID: f815842fa241b165fb7670df7c73732aec7a8bc46ce50225876310a6e97466a6
                              • Instruction ID: 9c7dd1e33ed6470ebf0298abc2c1e9875fb0bd6c4ea3361beda56c7849235a11
                              • Opcode Fuzzy Hash: f815842fa241b165fb7670df7c73732aec7a8bc46ce50225876310a6e97466a6
                              • Instruction Fuzzy Hash: B821777AA00119ABDB10DF79CC44AFEFBF9EF94650F540216FA05D3206E730E9018BA1
                              Function 0171F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                              Download Yara Rule
                              Strings
                              • RTL: Re-Waiting, xrefs: 0176031E
                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017602BD
                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017602E7
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                              • API String ID: 0-2474120054
                              • Opcode ID: c4c9cda5eaed36cc233a00233c2d971913c2500ae61a85509a62e74212a99185
                              • Instruction ID: 72a067fdf0748f04dd052f461e2eba7da2c1580e96c9d3fab8a74008355874f6
                              • Opcode Fuzzy Hash: c4c9cda5eaed36cc233a00233c2d971913c2500ae61a85509a62e74212a99185
                              • Instruction Fuzzy Hash: CEE18C706087429FD725CF2CC884B2AFBE4AF88324F144A5DF9A58B2E5D774D949CB42
                              Function 0172BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                              Download Yara Rule
                              Strings
                              • RTL: Re-Waiting, xrefs: 01767BAC
                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01767B7F
                              • RTL: Resource at %p, xrefs: 01767B8E
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                              • API String ID: 0-871070163
                              • Opcode ID: b1267258c01e6f5671863b00856478d4a952d2c7c7864fc6d47b58f4e4430d28
                              • Instruction ID: fd535d57a396cdd066baea89b0aeb971838cb6d95a89121cef8051a773078004
                              • Opcode Fuzzy Hash: b1267258c01e6f5671863b00856478d4a952d2c7c7864fc6d47b58f4e4430d28
                              • Instruction Fuzzy Hash: 5041EF317047029FDB24DE29C840F6AF7E5EF98720F000A2DE95A9B680DB31E9068B91
                              Function 0172B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0176728C
                              Strings
                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01767294
                              • RTL: Re-Waiting, xrefs: 017672C1
                              • RTL: Resource at %p, xrefs: 017672A3
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                              • API String ID: 885266447-605551621
                              • Opcode ID: e0669ae0fc4342c5d498a1609ee04e4b1339408163674b90f46c54fcbbd362de
                              • Instruction ID: b81eaf9de6426153aac1b8bda2aec32b9b42d467eeb327fe84a85009dc145e27
                              • Opcode Fuzzy Hash: e0669ae0fc4342c5d498a1609ee04e4b1339408163674b90f46c54fcbbd362de
                              • Instruction Fuzzy Hash: AF41FF31608216AFDB24DE29CC81B6AF7A9FB94754F100619FD55AB240DB20F8428BD1
                              Function 017A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: %%%u$]:%u
                              • API String ID: 48624451-3050659472
                              • Opcode ID: f2b449105eb23cb2371b2896014cc4d11b08921145cd4b9042ec6ff0149a4951
                              • Instruction ID: 9781accff860470a9cf1d571e7afa230418fdc9d9ce384147aa4aa9ff8ff6079
                              • Opcode Fuzzy Hash: f2b449105eb23cb2371b2896014cc4d11b08921145cd4b9042ec6ff0149a4951
                              • Instruction Fuzzy Hash: 21318672A00219AFDB20DE2DCC44BEFF7F8EF45610F954655E949E3205EB309A448BA0
                              Function 01737D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID: __aulldvrm
                              • String ID: +$-
                              • API String ID: 1302938615-2137968064
                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                              • Instruction ID: eccb426257b50c79b71b0d95b7a5c690f980828cee2368a6fdd2c2781d9414b7
                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                              • Instruction Fuzzy Hash: 4A91A5B1E4021B9BEF28DF6DC8816BEFBA1BFC4320F54461AE955E72C6D73089418761
                              Function 016F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.2392642271.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016C0000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_16c0000_PO 2025918 pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: $$@
                              • API String ID: 0-1194432280
                              • Opcode ID: 6eb0c72d872ee0786fe4d3fd3c4a3469cdc5903ffd86f9f3d750487fb02e5f63
                              • Instruction ID: ab3f21b2cc8b1335f55c3af588e4b50b6012a5a139f3dd1d1396f36e87f7af54
                              • Opcode Fuzzy Hash: 6eb0c72d872ee0786fe4d3fd3c4a3469cdc5903ffd86f9f3d750487fb02e5f63
                              • Instruction Fuzzy Hash: DF812A71D00269DBDB31CB54CC44BEEBBB4AB48714F0041EAEA09B7281E7709E84CFA0