Edit tour

Windows Analysis Report
PDFixers.exe

Overview

General Information

Sample name:	PDFixers.exe
Analysis ID:	1428284
MD5:	b4440eea7367c3fb04a89225df4022a6
SHA1:	5a6c01f821f10f6ed1f1283ecba36c5bacfb5838
SHA256:	a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Multi AV Scanner detection for submitted file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PDFixers.exe (PID: 6868 cmdline: "C:\Users\user\Desktop\PDFixers.exe" MD5: B4440EEA7367C3FB04A89225DF4022A6)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PDFixers.exe

ReversingLabs: Detection: 37%

Source: PDFixers.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 172.67.147.142:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: PDFixers.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 172.67.147.142 172.67.147.142

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pixel.pdfixers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js HTTP/1.1Accept: /Referer: https://pixel.pdfixers.com/Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pixel.pdfixers.comConnection: Keep-AliveCookie: AWSALB=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX; AWSALBCORS=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pixel.pdfixers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js HTTP/1.1Accept: /Referer: https://pixel.pdfixers.com/Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pixel.pdfixers.comConnection: Keep-AliveCookie: AWSALB=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX; AWSALBCORS=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX

Source: unknown

DNS traffic detected: queries for: pixel.pdfixers.com

Source: PDFixers.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PDFixers.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PDFixers.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PDFixers.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: PDFixers.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: PDFixers.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PDFixers.exe, 00000000.00000002.2903084540.000001862ADF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: PDFixers.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PDFixers.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PDFixers.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PDFixers.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: PDFixers.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: PDFixers.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: PDFixers.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: PDFixers.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: PDFixers.exe	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: PDFixers.exe, 00000000.00000002.2901936557.0000018612411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PDFixers.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: PDFixers.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: PDFixers.exe	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E306FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E306FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/?
Source: PDFixers.exe, 00000000.00000002.2903084540.000001862ADC3000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp, QJV1CLZP.htm.0.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Nunito
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com/
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com/W
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp, css2[1].css.0.dr	String found in binary or memory: https://fonts.gstatic.com/l/font?kit=pe1mMImSLYBIv1o4X1M8ce2xCx3yop4tQpF_MeTm0lfGWVpNn64CL7U8upHZIbM
Source: PDFixers.exe, 00000000.00000002.2929710133.0000018E370D2000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2931218903.0000018E37E34000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Fonthausen/NunitoSans)
Source: PDFixers.exe, 00000000.00000002.2930020898.0000018E3714E000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2930797419.0000018E378B0000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2931218903.0000018E37E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Fonthausen/NunitoSans)Thread-00001ad0-Id-00000000:SubsetRegularVersion
Source: PDFixers.exe, 00000000.00000002.2903084540.000001862ADF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com)
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E305CF000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E30630000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E30565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2912145197.0000018E306FA000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/#
Source: PDFixers.exe, 00000000.00000002.2906876472.000001862C668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/-
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/.
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E3061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/...
Source: PDFixers.exe, 00000000.00000002.2901936557.00000186124CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/...p
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com//
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/3
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/:#
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/C:
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/H
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/_
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/l/email-protection
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E305CF000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2907114641.000001862C6C8000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2909042362.0000018E301C5000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2912145197.0000018E306FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E306FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js7
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E305CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsC:
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsZreK
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsgvZD
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jss#
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsu
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsx
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js~
Source: PDFixers.exe, 00000000.00000002.2901936557.00000186124CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/h
Source: PDFixers.exe, 00000000.00000002.2921981855.0000018E325D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/ema
Source: PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/k
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/lE
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/llF
Source: PDFixers.exe, 00000000.00000002.2901936557.00000186124CB000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E3061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/p
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E3061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.com/t
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pixel.pdfixers.comD
Source: PDFixers.exe, 00000000.00000002.2916744262.0000018E30D20000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: PDFixers.exe, 00000000.00000002.2930020898.0000018E3714E000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2930797419.0000018E378B0000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2931218903.0000018E37E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLNunito
Source: PDFixers.exe, 00000000.00000002.2931218903.0000018E37E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLNunitoSans12pt-LightVersion
Source: PDFixers.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 172.67.147.142:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B2448B	0_2_0000018E30B2448B
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B25046	0_2_0000018E30B25046
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B251C4	0_2_0000018E30B251C4
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B2512E	0_2_0000018E30B2512E
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B25242	0_2_0000018E30B25242
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B24FC0	0_2_0000018E30B24FC0
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B2534C	0_2_0000018E30B2534C
Source: C:\Users\user\Desktop\PDFixers.exe	Code function: 0_2_0000018E30B24F19	0_2_0000018E30B24F19

Source: PDFixers.exe

Static PE information: No import functions for PE file found

Source: PDFixers.exe, 00000000.00000002.2903084540.000001862AE65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3k vs PDFixers.exe
Source: PDFixers.exe, 00000000.00000002.2926382986.0000018E33886000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejscript9.dll.muiD vs PDFixers.exe

Source: C:\Users\user\Desktop\PDFixers.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: sus36.winEXE@1/5@1/1

Source: C:\Users\user\Desktop\PDFixers.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH

Jump to behavior

Source: C:\Users\user\Desktop\PDFixers.exe

Mutant created: NULL

Source: PDFixers.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PDFixers.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\PDFixers.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PDFixers.exe

ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Section loaded: t2embed.dll	Jump to behavior

Source: C:\Users\user\Desktop\PDFixers.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PDFixers.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PDFixers.exe

Static PE information: certificate valid

Source: PDFixers.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PDFixers.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PDFixers.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PDFixers.exe

Static file information: File size 8507584 > 1048576

Source: PDFixers.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7fea00

Source: PDFixers.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PDFixers.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: PDFixers.exe

Static PE information: 0x9FA57E8D [Mon Nov 16 06:26:21 2054 UTC]

Source: C:\Users\user\Desktop\PDFixers.exe

Code function: 0_2_00007FFD9BA0063D push ebx; iretd

0_2_00007FFD9BA0066A

Source: C:\Users\user\Desktop\PDFixers.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18610A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 1862A410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 1862C660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 1862CEF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E308F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30940000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E309E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30A20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30A60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30A80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30AE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30B00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30B20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30B60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30B80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30BA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30BC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30BE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30C00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30C20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30C40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30C80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30CA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30CC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30CE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30D00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30F20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30F60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30F80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30FA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30FC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E30FE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31020000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31040000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31060000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31830000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31850000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31870000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E318D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E318F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31930000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31950000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31990000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E319B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E319D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E319F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31A70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31A90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31AB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31AD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31AF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31B10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31B50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31B70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31B90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31BB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31BD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31BF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31C30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31C50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31C70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31CB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31CD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31D10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31D30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31D50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31D70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31DB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31DD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31DF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31E10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31E50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31E70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31E90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31EB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31ED0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31EF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31F10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31F50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31F70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31F90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31FB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E31FF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32010000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32030000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32070000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32090000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E320B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E320D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E320F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32110000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32130000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32150000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32190000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E321B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E321D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E321F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32210000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32230000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32250000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32270000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E322B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E322D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E322F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32310000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32330000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32350000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32370000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32390000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E323D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E323F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32410000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32430000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32450000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32470000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32490000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E324D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E324F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32510000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32530000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32550000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32570000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32590000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E325B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E325F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32610000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32630000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32650000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32670000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32690000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E326B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E326D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32710000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32730000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32750000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32770000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32790000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E327B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E327D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E327F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32830000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32850000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32870000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E328B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E328D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E328F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32950000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32970000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32990000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E329B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E329D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E329F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32A70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32A90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32AB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32AD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32AF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32B10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32B30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32B50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32B90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32BB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32BD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32BF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32C10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32C30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32C50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32CB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32CD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32CF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32D10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32D30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32D50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32D70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32DB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32DD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32DF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32E10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32E30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32E50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32E70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32E90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32ED0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32EF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32F10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32F30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32F50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32F70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32F90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32FB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E32FF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33010000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33030000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33050000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33070000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33090000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E330B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E330D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33110000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33130000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33150000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33170000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33190000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E331B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E331D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E331F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33230000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33250000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33270000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33290000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E332B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E332D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E332F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33330000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33350000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33370000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33390000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E333B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E333D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E333F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33410000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33450000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33470000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E338B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E338D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E338F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33930000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33970000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33990000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E339B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E339D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E339F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33A50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33A90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33AB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33AD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33AF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33B10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33B30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33B50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Memory allocated: 18E33B70000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E305CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: PDFixers.exe, 00000000.00000002.2910463304.0000018E30630000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\PDFixers.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Users\user\Desktop\PDFixers.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDFixers.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PDFixers.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PDFixers.exe	38%	ReversingLabs	ByteCode-MSIL.PUA.Superfluss

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pixel.pdfixers.com	172.67.147.142	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pixel.pdfixers.com/	false		unknown
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsZreK	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designersG	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/_	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/llF	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scripts.sil.org/OFLNunitoSans12pt-LightVersion	PDFixers.exe, 00000000.00000002.2931218903.0000018E37E34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/ema	PDFixers.exe, 00000000.00000002.2921981855.0000018E325D0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.goodfont.co.kr	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scripts.sil.org/OFLNunito	PDFixers.exe, 00000000.00000002.2930020898.0000018E3714E000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2930797419.0000018E378B0000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2931218903.0000018E37E17000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/H	PDFixers.exe, 00000000.00000002.2910463304.0000018E30565000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsx	PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/cThe	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/3	PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/staff/dennis.htm	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js~	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://scripts.sil.org/OFL	PDFixers.exe, 00000000.00000002.2916744262.0000018E30D20000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsC:	PDFixers.exe, 00000000.00000002.2910463304.0000018E305CF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/cdn-cgi/l/email-protection	PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsu	PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/#	PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fonts.com	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PDFixers.exe, 00000000.00000002.2901936557.0000018612411000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jsgvZD	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/.	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com//	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com	PDFixers.exe, 00000000.00000002.2910463304.0000018E305CF000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E30630000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E30565000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/-	PDFixers.exe, 00000000.00000002.2906876472.000001862C668000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Fonthausen/NunitoSans)Thread-00001ad0-Id-00000000:SubsetRegularVersion	PDFixers.exe, 00000000.00000002.2930020898.0000018E3714E000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2930797419.0000018E378B0000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2931218903.0000018E37E17000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Fonthausen/NunitoSans)	PDFixers.exe, 00000000.00000002.2929710133.0000018E370D2000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2931218903.0000018E37E34000.00000004.00000020.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/C:	PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.comD	PDFixers.exe, 00000000.00000002.2910463304.0000018E30565000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.carterandcone.coml	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/lE	PDFixers.exe, 00000000.00000002.2910463304.0000018E30573000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js7	PDFixers.exe, 00000000.00000002.2912145197.0000018E306FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/p	PDFixers.exe, 00000000.00000002.2901936557.00000186124CB000.00000004.00000800.00020000.00000000.sdmp, PDFixers.exe, 00000000.00000002.2910463304.0000018E3061C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/frere-user.html	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/t	PDFixers.exe, 00000000.00000002.2910463304.0000018E3061C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/:#	PDFixers.exe, 00000000.00000002.2910463304.0000018E306A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers8	PDFixers.exe, 00000000.00000002.2905727021.000001862C0E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pixel.pdfixers.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.jss#	PDFixers.exe, 00000000.00000002.2912145197.0000018E30744000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/...	PDFixers.exe, 00000000.00000002.2910463304.0000018E3061C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/k	PDFixers.exe, 00000000.00000002.2912145197.0000018E3071C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.v	PDFixers.exe, 00000000.00000002.2903084540.000001862ADF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pixel.pdfixers.com/h	PDFixers.exe, 00000000.00000002.2901936557.00000186124CB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://pixel.pdfixers.com/...p	PDFixers.exe, 00000000.00000002.2901936557.00000186124CB000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.147.142	pixel.pdfixers.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428284
Start date and time:	2024-04-18 19:06:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDFixers.exe
Detection:	SUS
Classification:	sus36.winEXE@1/5@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 41 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 74.125.136.95, 64.233.176.94
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PDFixers.exe, PID 6868 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PDFixers.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.147.142	PDFixers.zip	Get hash	malicious	Unknown	Browse
	http://pixel.pdfixers.com	Get hash	malicious	Unknown	Browse
	https://pdfixers.com/downloadFixer.html?campaign_id%5C=21045767915&adgroup_id%5C=158732629346&placement_id%5C=www.espn.com&creative_id%5C=691698233681&gclid%5C=EAIaIQobChMIsdqlwMv-hAMVHKNaBR0-pAc6EAEYASAAEgJE9vD_BwE	Get hash	malicious	Unknown	Browse
	https://pdfixers.com/fixerPdf.html?campaign_id=20793026578&adgroup_id=154442634943&placement_id=www.kalenderpedia.de&creative_id=690578524755&gclid=EAIaIQobChMIiPuO6tH9hAMVcwVPCB0kPAl9EAEYASAAEgKpQfD_BwE	Get hash	malicious	Unknown	Browse
	https://pdfixers.com/	Get hash	malicious	Unknown	Browse
	https://www.hiclipart.com/free-transparent-background-png-clipart-zjdjz/download	Get hash	malicious	Unknown	Browse
	ManyToOneMailMerge Ver 18.8.dotm	Get hash	malicious	Unknown	Browse
	http://pdfixers.com	Get hash	malicious	Unknown	Browse
	http://pdfixers.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pixel.pdfixers.com	PDFixers.zip	Get hash	malicious	Unknown	Browse	172.67.147.142
	http://pixel.pdfixers.com	Get hash	malicious	Unknown	Browse	172.67.147.142
	https://pdfixers.com/downloadFixer.html?campaign_id%5C=21045767915&adgroup_id%5C=158732629346&placement_id%5C=www.espn.com&creative_id%5C=691698233681&gclid%5C=EAIaIQobChMIsdqlwMv-hAMVHKNaBR0-pAc6EAEYASAAEgJE9vD_BwE	Get hash	malicious	Unknown	Browse	172.67.147.142
	https://pdfixers.com/fixerPdf.html?campaign_id=20793026578&adgroup_id=154442634943&placement_id=www.kalenderpedia.de&creative_id=690578524755&gclid=EAIaIQobChMIiPuO6tH9hAMVcwVPCB0kPAl9EAEYASAAEgKpQfD_BwE	Get hash	malicious	Unknown	Browse	172.67.147.142
	https://pdfixers.com/	Get hash	malicious	Unknown	Browse	104.21.11.17
	https://www.hiclipart.com/free-transparent-background-png-clipart-zjdjz/download	Get hash	malicious	Unknown	Browse	172.67.147.142
	ManyToOneMailMerge Ver 18.8.dotm	Get hash	malicious	Unknown	Browse	172.67.147.142
	http://pdfixers.com	Get hash	malicious	Unknown	Browse	172.67.147.142
	http://pdfixers.com	Get hash	malicious	Unknown	Browse	104.21.11.17

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	8Sb3Ng0nF3.exe	Get hash	malicious	LummaC	Browse	172.67.155.93
	Payment Advice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://huntingtonoakmont-my.sharepoint.com/:b:/g/personal/cmariotti_oakmontcommunities_com/EeUv57weU1BKhs36H3rF_G0BHM4kTzJShI_ZPwFvp1P7-g?e=4UASJ5	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Nexpoint-annual-staff-promotion-and-benefits_KDV-791358.docx	Get hash	malicious	Unknown	Browse	104.21.63.140
	Nexpoint-annual-staff-promotion-and-benefits_KDV-791358.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=esi-doc.one/YWGTytNgAkCXj6A/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/bXNvbG9yemFub0Bsc2ZjdS5vcmc=&d=DwMGaQ	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	104.21.84.67
	https://assets-gbr.mkt.dynamics.com/63445ada-d6fc-ee11-9046-002248c656ac/digitalassets/standaloneforms/4f16ddf0-7afd-ee11-a1fe-000d3ad499fa	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	172.67.147.142
	file.exe	Get hash	malicious	Vidar	Browse	172.67.147.142
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	172.67.147.142
	Documentos adjuntos.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.147.142
	20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.147.142
	Purchase.vbs	Get hash	malicious	GuLoader	Browse	172.67.147.142
	Tepanec.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.147.142
	FAR.N#U00ba2430-24000993.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.147.142
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	172.67.147.142
	justificante.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.147.142

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\Desktop\PDFixers.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\css2[1].css

Download File

Process:	C:\Users\user\Desktop\PDFixers.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	306
Entropy (8bit):	5.565724594514051
Encrypted:	false
SSDEEP:	6:0IFFJMg+56ZzSVg5qh7izlpdUDSUPtgZMLQHkI+ro+iFHj0c4vn:jF7pO6ZGmqt6pSXsVHDFHj0v
MD5:	593563DEFDA42F8FAD22F5EA3F89B775
SHA1:	A0C3D8D8C19C01BD3D02B90A126C8CA7F27421B3
SHA-256:	2F02D38536746DAE6535E3354B5B844C48C26589AE1B499BE5CB35EF66EAB511
SHA-512:	7DB83EF0938D2D732FB3B4F41AAC09B332BFC36FED6E4064DF39968BF3EFC9C2C6135C09E137A024A3B12EFF561344A44F3E67D6C131971919A9889628F61F5C
Malicious:	false
Reputation:	low
Preview:	@font-face {. font-family: 'Nunito Sans';. font-style: normal;. font-weight: 300;. font-stretch: normal;. font-display: swap;. src: url(https://fonts.gstatic.com/l/font?kit=pe1mMImSLYBIv1o4X1M8ce2xCx3yop4tQpF_MeTm0lfGWVpNn64CL7U8upHZIbMV51Q42ptCp5F5bxqqtQ1yiU4GiClntQ&skey=60bfdc605ddb00b1&v=v15);.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\QJV1CLZP.htm

Download File

Process:	C:\Users\user\Desktop\PDFixers.exe
File Type:	HTML document, ASCII text, with very long lines (10298), with CRLF line terminators
Category:	dropped
Size (bytes):	33684
Entropy (8bit):	5.605449570007305
Encrypted:	false
SSDEEP:	768:tbRdP1w6Tgt9vJRxcxDc5sWOVD/TSTjnoZ3iIyVhgcEyeoA7JYquMr1:ZRdP1w6TqJJRxcxDc5sWOVD/TSTjntr+
MD5:	1F1DEFF42C2A4678AA49C18A7690A907
SHA1:	3F87554D656630BC32C4CB8CBECBAABA4DB21FCC
SHA-256:	7B53AB3F8B4EA2A76764BEB1327C69C995F5E110728BF2EBF21C44AA7AAF6216
SHA-512:	06475D421F8B5CF23CD65F68FEE6181FFC636DFD29933E81AB655A190CF03F72DB6EC4A2ED50FEE3CDFC6A55DC108752A66F7A9ABCEF9CEFB6A11BC6D70AB5DF
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=10" />.. <link href="https://fonts.googleapis.com/css2?family=Nunito+Sans:wght@300&display=swap" rel="stylesheet">.... <title>PDFixers Installation</title>.. <style>.. body {.. overflow: hidden; /* Hide scrollbars */.. }.... body {.. font-family: Arial, sans-serif;.. margin: 20px;.. }.... .container {.. width: 632px;.. height: 777px;.. margin: auto;.. padding: 20px;.. border: 1px solid #ddd;.. }.... .eula {.. margin-top: 20px;.. border: 1px solid #ddd;.. padding: 10px;.. height: 300px;.. overflow: auto;.. }.... .button {.. margin-top: 10px;.. padding: 10px 20px;.. background-color: #4CAF50;.. color: white;.. border: none;.. borde

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\email-decode.min[1].js

Download File

Process:	C:\Users\user\Desktop\PDFixers.exe
File Type:	HTML document, ASCII text, with very long lines (1238)
Category:	dropped
Size (bytes):	1239
Entropy (8bit):	5.068464054671174
Encrypted:	false
SSDEEP:	24:ch63Cf5W8QPIHRZ3hwVFS39bYGwNef1yTZsNUkQ1sZmSuLqNWRco5Jcn5IKM6cuY:C6SQnw/x+SR8ZZkQbp1RZ5JwiKMm7Zc
MD5:	9E8F56E8E1806253BA01A95CFC3D392C
SHA1:	A8AF90D7482E1E99D03DE6BF88FED2315C5DD728
SHA-256:	2595496FE48DF6FCF9B1BC57C29A744C121EB4DD11566466BC13D2E52E6BBCC8
SHA-512:	63F0F6F94FBABADC3F774CCAA6A401696E8A7651A074BC077D214F91DA080B36714FD799EB40FED64154972008E34FC733D6EE314AC675727B37B58FFBEBEBEE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	!function(){"use strict";function e(e){try{if("undefined"==typeof console)return;"error"in console?console.error(e):console.log(e)}catch(e){}}function t(e){return d.innerHTML='<a href="'+e.replace(/"/g,""")+'"></a>',d.childNodes[0].getAttribute("href")\|\|""}function r(e,t){var r=e.substr(t,2);return parseInt(r,16)}function n(n,c){for(var o="",a=r(n,c),i=c+2;i<n.length;i+=2){var l=r(n,i)^a;o+=String.fromCharCode(l)}try{o=decodeURIComponent(escape(o))}catch(u){e(u)}return t(o)}function c(t){for(var r=t.querySelectorAll("a"),c=0;c<r.length;c++)try{var o=r[c],a=o.href.indexOf(l);a>-1&&(o.href="mailto:"+n(o.href,a+l.length))}catch(i){e(i)}}function o(t){for(var r=t.querySelectorAll(u),c=0;c<r.length;c++)try{var o=r[c],a=o.parentNode,i=o.getAttribute(f);if(i){var l=n(i,0),d=document.createTextNode(l);a.replaceChild(d,o)}}catch(h){e(h)}}function a(t){for(var r=t.querySelectorAll("template"),n=0;n<r.length;n++)try{i(r[n].content)}catch(c){e(c)}}function i(t){try{c(t),o(t),a(t)}catch(r){e(r

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\font[1].eot

Download File

Process:	C:\Users\user\Desktop\PDFixers.exe
File Type:	Embedded OpenType (EOT), Nunito Sans 12pt Light family
Category:	dropped
Size (bytes):	43569
Entropy (8bit):	7.965514187975993
Encrypted:	false
SSDEEP:	768:BAovAk9wwidcUfGrYHv2GEu2v/ycF+0iwdEGnysM82tvUwV9d3Cxa8iPat:BAyAk9wwiHrHdshi4BysMX1d3CxaNi
MD5:	C6B85601ADBF8C674B4B444DAD696A5D
SHA1:	9103151C858BD4C99150D6B4386D54E99B1EBF90
SHA-256:	EC8671B432FF49E1E77F48692397E57ECFA584555AC664C932DCCEA0C9A16044
SHA-512:	255B28431550FD2BD7C61080E5645CCEA14CCA43F80AFEA2F7A337E70CB67AA38C978D3777B10DB8A3672D909B268F8499692F278AD590C56C9918AB7429C57F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1...........................,.....LP....K .P........... .......2..................,.N.u.n.i.t.o. .S.a.n.s. .1.2.p.t. .L.i.g.h.t.....R.e.g.u.l.a.r...:.V.e.r.s.i.o.n. .3...1.0.1.;.g.f.t.o.o.l.s.[.0...9...2.7.]...,.N.u.n.i.t.o. .S.a.n.s. .1.2.p.t. .L.i.g.h.t.....BSGP............................l.............L...h4[... ..c#.....>!.@.y>.x..8v6...&.rl..G2?..S.....^:}i..rp...=..v^:._.[R..x..$)&.;..Pxk.4.Eh..6. ..4.UC7a..I.!..Ib?.l(.....MEz...d.[zu.{.-9..2..O...4.>Y.4l..W.g...a..o......3-..ka?..!..9.;.YN..Z.k....'..`....R.y...=.+......`.O....KS.X...:?}0n.....l....P..k.S..).x#...Q..i.e....0n..a.q...H\|.<wZ.2.........a.....C..'<`Wr4^.'{.\.....s.N<{R\.Yyo....)x....-\P.....N...$..,.M...v.pB..4'.P.T3F.31.......`..ZF.%..J3.....X.W..Ky..+..=`n..{.`.Q.......ri`..Q.5r.=...V..X..~..C..j:...qZ..yX.c.X>n..v.......v.54..h*X.K....!..:.. .6...J.AL.$M.....:YS1z..Ty....0.....AahG...w......j......zu..yw[D..)&'.^.()aj..'....q .0$.G.<tE..@W....K7....~.}A....6...m>Q...`G.x.Q.8^...Ak

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9781740953081055
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	PDFixers.exe
File size:	8'507'584 bytes
MD5:	b4440eea7367c3fb04a89225df4022a6
SHA1:	5a6c01f821f10f6ed1f1283ecba36c5bacfb5838
SHA256:	a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0
SHA512:	69c3a0339aa6d060845570527205136d4aa04b2f13b983e1e84a0d2d9a90e99ec827999a20c57e27a4c27d36e633bb264ddd95a43c03e47cfa3d9f6377e57e76
SSDEEP:	196608:qn1PLvFtljMRfLjjL4/Y8261NG9HTta83vm:qnZFtlIP4/Y7pO8/m
TLSH:	248633347200718BEA6A7E39CD47FD24467BDE42AB4B8F3714593288B6FA6DE0710857
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....~............"...P.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	09354145557f6746

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9FA57E8D [Mon Nov 16 06:26:21 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	21/11/2023 05:47:08 21/11/2024 05:47:08
Subject Chain	CN=ADSMARKETO LLC, O=ADSMARKETO LLC, STREET="Rybolovetska street, building 49", L=Kyiv, S=Kyiv, C=UA, OID.1.3.6.1.4.1.311.60.2.1.3=UA, SERIALNUMBER=45092259, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	CE9A9C6EBB57C0A9EEFEAC3B7ECF65DE
Thumbprint SHA-1:	40C0CB1A69BC8AF1256B2862D729A330937B4CFF
Thumbprint SHA-256:	22DE62CECEF82EDAEC2B6586D463BCB8FBABE8734C95916A4C51F5CFFBED346F
Serial:	2AC7FCE6B9C96D57663F6BB4

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x802000	0x1b4bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x81a200	0x2ec0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x800860	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7fe87c	0x7fea00	829ae0eee9a26946b0cb8f6cae5194d8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x802000	0x1b4bc	0x1b600	88250d9b576ea4b56b614ec4fe007258	False	0.17515696347031964	data	3.430310527618212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8021a0	0x282c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9795799299883314
RT_ICON	0x8049dc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	0.06360167987696676
RT_ICON	0x815214	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	0.09996457250826642
RT_ICON	0x81944c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	0.13101659751037345
RT_ICON	0x81ba04	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	0.1801125703564728
RT_ICON	0x81cabc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	0.3120567375886525
RT_GROUP_ICON	0x81cf34	0x5a	data	0.7666666666666667
RT_VERSION	0x81cfa0	0x31c	data	0.4271356783919598
RT_MANIFEST	0x81d2cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 19:07:02.314861059 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.314899921 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.314982891 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.325160027 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.325176001 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.553831100 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.553927898 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.662455082 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.662538052 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.663044930 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.663116932 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.676153898 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.720161915 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838251114 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838316917 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838356972 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838398933 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838417053 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838440895 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838494062 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838536024 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838536024 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838553905 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838562012 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838574886 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838614941 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838641882 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838696003 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838913918 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838922024 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.838937998 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.838970900 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.839492083 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.839504957 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.839677095 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.848272085 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848335028 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848351002 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.848381996 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848396063 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.848428965 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.848800898 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848865986 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848897934 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848922968 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.848932981 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.848982096 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.848999977 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.849292994 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.849340916 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.849366903 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.849416971 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.849422932 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.849466085 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.849472046 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.849514961 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.849522114 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.849565983 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.850198030 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.850250006 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.850256920 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.850322008 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.850327969 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.850380898 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.850380898 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.850513935 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.856105089 CEST	49734	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.856142044 CEST	443	49734	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.873226881 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.873316050 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:02.873445034 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.873733997 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:02.873768091 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.095834970 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.095952988 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.096535921 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.096548080 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.097090960 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.097096920 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.355570078 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.355638981 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.355659008 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.355706930 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.355712891 CEST	443	49736	172.67.147.142	192.168.2.4
Apr 18, 2024 19:07:03.355762959 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.361172915 CEST	49736	443	192.168.2.4	172.67.147.142
Apr 18, 2024 19:07:03.361187935 CEST	443	49736	172.67.147.142	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 19:07:02.197083950 CEST	57969	53	192.168.2.4	1.1.1.1
Apr 18, 2024 19:07:02.309199095 CEST	53	57969	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 19:07:02.197083950 CEST	192.168.2.4	1.1.1.1	0xcc78	Standard query (0)	pixel.pdfixers.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 19:07:02.309199095 CEST	1.1.1.1	192.168.2.4	0xcc78	No error (0)	pixel.pdfixers.com		172.67.147.142	A (IP address)	IN (0x0001)	false
Apr 18, 2024 19:07:02.309199095 CEST	1.1.1.1	192.168.2.4	0xcc78	No error (0)	pixel.pdfixers.com		104.21.11.17	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pixel.pdfixers.com

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	172.67.147.142	443	6868	C:\Users\user\Desktop\PDFixers.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 17:07:02 UTC	432	OUT	GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: pixel.pdfixers.com Connection: Keep-Alive
2024-04-18 17:07:02 UTC	991	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 17:07:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: AWSALB=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX; Expires=Thu, 25 Apr 2024 17:07:02 GMT; Path=/ Set-Cookie: AWSALBCORS=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX; Expires=Thu, 25 Apr 2024 17:07:02 GMT; Path=/; SameSite=None Cache-Control: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hdDtOlelV0PcfV2S8CAhjQ3Y9j2qdDgUEsJBZLxNAu4CKMHIyB5MKKbLeF7KPGszehiAiHx4JzKv76lChGNgS6f0yOFa1dvwUduTz0ekIEQlf6%2FXfQAxdo6t%2FwzXXAS6I2%2FduXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87663fb61f5ab057-ATL alt-svc: h3=":443"; ma=86400
2024-04-18 17:07:02 UTC	378	IN	Data Raw: 33 35 62 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 75 6e 69 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 33 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 44 46 69 78 65 72 73 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 Data Ascii: 35bd<!DOCTYPE html><html><head> <meta http-equiv="X-UA-Compatible" content="IE=10" /> <link href="https://fonts.googleapis.com/css2?family=Nunito+Sans:wght@300&display=swap" rel="stylesheet"> <title>PDFixers Installation</title>
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 37 37 37 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 Data Ascii: -family: Arial, sans-serif; margin: 20px; } .container { width: 632px; height: 777px; margin: auto; padding: 20px; border: 1px solid #ddd; }
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 34 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 34 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 34 30 70 78 3b 0d 0a 20 Data Ascii: center; flex-direction: column; align-items: center; } .loader { border: 4px solid #f3f3f3; border-top: 4px solid #3498db; border-radius: 50%; width: 40px;
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 2f 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 62 75 74 74 6f 6e 2d 63 6f 6e 74 61 69 6e 65 72 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 62 74 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 35 70 78 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 Data Ascii: / text-align: center; } .button-container span { vertical-align: middle; font-size: 10px; } .btn { width: 100px; padding: 15px 10px; curs
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 4e 6f 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 61 6c 6c 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 6f 73 65 2d 62 75 74 74 6f 6e 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 22 20 73 72 63 3d 27 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 4d 67 41 41 41 44 49 43 41 59 41 41 41 43 74 57 4b 36 65 41 41 41 41 42 48 4e 43 53 56 51 49 43 41 67 49 66 41 68 6b 69 41 41 41 41 41 6c 77 53 46 6c 7a 41 41 41 Data Ascii: No</button> </div> </div> <div id="all"> <div class="close-button"> <img width="10" src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAA
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 43 42 76 31 4c 6c 59 6a 67 46 62 42 72 35 4a 2f 4f 4d 33 77 48 57 5a 73 38 37 43 63 6f 68 6c 34 42 76 45 4c 30 45 44 48 4d 79 63 64 52 71 57 51 36 2b 6f 71 53 51 31 66 4b 6d 4c 35 64 42 70 6c 6f 43 76 45 37 38 55 44 58 41 6f 63 39 59 7a 73 52 78 61 31 78 4c 77 4e 65 4b 58 6f 77 45 4f 5a 38 37 36 61 69 79 48 4e 72 51 45 50 45 62 38 6b 6a 54 41 6b 63 78 5a 54 32 59 35 4e 4c 45 6c 34 4b 76 45 4c 30 73 44 33 4a 41 35 4b 30 41 4b 79 6d 59 35 46 74 67 53 38 42 58 69 6c 36 59 42 62 73 79 59 4d 31 57 51 7a 33 49 73 71 43 58 67 79 38 51 76 54 77 50 63 6c 43 46 66 71 69 43 58 35 56 68 77 53 38 43 6a 78 43 39 52 41 39 7a 63 59 61 35 55 51 5a 36 47 6e 6e 32 4a 7a 56 41 74 41 59 38 51 76 30 77 4e 63 45 73 48 65 56 49 46 4f 53 78 48 7a 79 77 42 44 78 4f 2f 56 41 33 7a Data Ascii: CBv1LlYjgFbBr5J/OM3wHWZs87Ccohl4BvEL0EDHMycdRqWQ6+oqSQ1fKmL5dBploCvE78UDXAoc9YzsRxa1xLwNeKXowEOZ876aiyHNrQEPEb8kjTAkcxZT2Y5NLEl4KvEL0sD3JA5K0AKymY5FtgS8BXil6YBbsyYM1WQz3IsqCXgy8QvTwPclCFfqiCX5VhwS8CjxC9RA9zcYa5UQZ6Gnn2JzVAtAY8Qv0wNcEsHeVIFOSxHzywBDxO/VA3z
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 6a 75 6f 49 45 53 38 66 4f 31 4a 44 4f 34 44 4d 74 52 53 69 4a 2b 7a 71 76 41 4a 5a 6c 7a 39 73 5a 57 78 67 4f 4c 66 72 51 68 6c 4b 4f 56 69 4a 2f 33 4b 6e 42 78 35 70 77 4c 37 31 49 73 52 35 52 45 2f 4e 78 58 67 59 73 79 35 31 78 59 6c 69 4e 65 49 6e 37 2b 4b 38 43 46 6d 58 4d 75 6e 45 75 77 48 4c 56 49 78 4c 2f 44 43 6e 42 42 35 70 77 4c 77 33 4c 55 4a 78 48 2f 48 70 61 45 38 56 2f 4b 4c 45 65 64 45 76 48 76 73 67 4b 63 6e 7a 6c 6e 74 53 37 43 63 74 51 75 45 66 38 2b 4b 38 42 35 6d 58 4e 57 35 30 4c 47 77 61 4f 48 62 7a 6b 32 6c 6f 68 2f 70 35 65 42 54 32 54 4f 57 59 33 7a 73 42 79 4c 4a 68 48 2f 58 69 38 44 48 38 75 63 4d 39 77 48 67 42 50 45 44 39 74 79 54 43 38 52 2f 32 37 2f 42 64 36 62 4f 57 65 59 73 34 41 2f 45 7a 39 6b 79 7a 47 37 52 50 7a 37 2f Data Ascii: juoIES8fO1JDO4DMtRSiJ+zqvAJZlz9sZWxgOLfrQhlKOViJ/3KnBx5pwL71IsR5RE/NxXgYsy51xYliNeIn7+K8CFmXMunEuwHLVIxL/DCnBB5pwLw3LUJxH/HpaE8V/KLEedEvHvsgKcnzlntS7CctQuEf8+K8B5mXNW50LGwaOHbzk2loh/p5eBT2TOWY3zsByLJhH/Xi8DH8ucM9wHgBPED9tyTC8R/27/Bd6bOWeYs4A/Ez9kyzG7RPz7/
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 63 34 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 31 32 22 3e 41 74 20 70 64 66 69 78 65 72 73 20 28 26 6c 64 71 75 6f 3b 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 31 22 3e 43 6f 6d 70 61 6e 79 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 31 32 22 3e 26 72 64 71 75 6f 3b 20 6f 72 20 26 6c 64 71 75 6f 3b 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 31 22 3e 77 65 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 30 22 3e 26 6c 64 71 75 6f 3b 29 2c 20 77 65 20 70 6c 61 63 65 20 67 72 65 61 74 20 69 6d 70 6f 72 74 61 6e 63 65 20 6f 6e 20 70 72 69 76 61 63 79 2c 20 73 65 63 75 72 69 74 79 2c 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 61 66 65 74 79 Data Ascii: <p class="c4"><span class="c12">At pdfixers (“</span><span class="c1">Company</span><span class="c12">” or “</span><span class="c1">we</span><span class="c0">“), we place great importance on privacy, security, and online safety
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 65 20 53 6f 66 74 77 61 72 65 2c 20 77 65 20 73 74 72 6f 6e 67 6c 79 20 72 65 63 6f 6d 6d 65 6e 64 20 74 68 61 74 20 75 73 65 72 73 20 63 61 72 65 66 75 6c 6c 79 20 72 65 76 69 65 77 20 74 68 69 73 20 50 6f 6c 69 63 79 2e 20 46 6f 72 20 43 61 6c 69 66 6f 72 6e 69 61 20 72 65 73 69 64 65 6e 74 73 2c 20 77 65 20 61 6c 73 6f 20 61 64 76 69 73 65 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6f 6d 70 61 6e 79 26 72 73 71 75 6f 3b 73 20 73 70 65 63 69 66 69 63 26 6e 62 73 70 3b 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 37 22 3e 43 43 50 41 20 50 72 69 76 61 63 79 20 4e 6f 74 69 63 65 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 63 34 22 3e 3c 73 70 61 6e 20 63 6c 61 Data Ascii: e Software, we strongly recommend that users carefully review this Policy. For California residents, we also advise reviewing the Company’s specific </span><span class="c7">CCPA Privacy Notice</span></p> <p class="c4"><span cla
2024-04-18 17:07:02 UTC	1369	IN	Data Raw: 20 3c 70 20 63 6c 61 73 73 3d 22 63 34 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 30 22 3e 41 6c 6c 20 63 6f 6c 6c 65 63 74 69 6f 6e 20 6f 66 20 50 65 72 73 6f 6e 61 6c 20 44 61 74 61 20 77 69 6c 6c 20 61 64 68 65 72 65 20 74 6f 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 6c 61 77 66 75 6c 20 70 72 69 6e 63 69 70 6c 65 73 20 75 6e 64 65 72 20 74 68 65 20 47 44 50 52 3a 20 28 31 29 20 70 72 6f 63 65 73 73 69 6e 67 20 6f 6e 6c 69 6e 65 20 69 64 65 6e 74 69 66 69 65 72 73 20 66 6f 72 20 6f 70 65 72 61 74 69 6f 6e 61 6c 20 61 6e 64 20 66 75 6e 63 74 69 6f 6e 61 6c 20 70 75 72 70 6f 73 65 73 2c 20 28 32 29 20 70 72 6f 63 65 73 73 69 6e 67 20 74 68 65 20 75 73 65 72 26 72 73 71 75 6f 3b 73 20 63 6f 6e 74 61 63 74 20 64 65 74 61 69 6c 73 20 69 66 20 74 68 Data Ascii: <p class="c4"><span class="c0">All collection of Personal Data will adhere to the following lawful principles under the GDPR: (1) processing online identifiers for operational and functional purposes, (2) processing the user’s contact details if th

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	172.67.147.142	443	6868	C:\Users\user\Desktop\PDFixers.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 17:07:03 UTC	699	OUT	GET /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js HTTP/1.1 Accept: / Referer: https://pixel.pdfixers.com/ Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: pixel.pdfixers.com Connection: Keep-Alive Cookie: AWSALB=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX; AWSALBCORS=Q/1o7mNuh5fikW8QfQj8pZbv2W22gQW8jgkIVYHaWbjaucSDx1L+/++aYi0liKAcAftPQ55D8zVpAO4skMIKg7H2PLfsZt2z3kikjf49sDnY8oTMTYTGxnqyvBAX
2024-04-18 17:07:03 UTC	752	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 17:07:03 GMT Content-Type: application/javascript Content-Length: 1239 Connection: close Last-Modified: Mon, 15 Apr 2024 08:31:34 GMT ETag: "661ce5e6-4d7" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HHXMjl6Ro3HP%2Fqn5nhbu5xFGndX0ty8Mf3HN2BXJMQFrXfR7lQYMog7Ls57unaC%2FSThruHwUG3kiJwWkRMcNPZRLSIMnyYjqUks85HP7DNL0Kbb09ELWdKswrcpe5SScZ4iY9Tk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87663fb98b4406ec-ATL X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Sat, 20 Apr 2024 17:07:03 GMT Cache-Control: max-age=172800 Cache-Control: public Accept-Ranges: bytes
2024-04-18 17:07:03 UTC	617	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 65 28 65 29 7b 74 72 79 7b 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 63 6f 6e 73 6f 6c 65 29 72 65 74 75 72 6e 3b 22 65 72 72 6f 72 22 69 6e 20 63 6f 6e 73 6f 6c 65 3f 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 65 29 3a 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 65 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 66 75 6e 63 74 69 6f 6e 20 74 28 65 29 7b 72 65 74 75 72 6e 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 27 3c 61 20 68 72 65 66 3d 22 27 2b 65 2e 72 65 70 6c 61 63 65 28 2f 22 2f 67 2c 22 26 71 75 6f 74 3b 22 29 2b 27 22 3e 3c 2f 61 3e 27 2c 64 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 30 5d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 68 72 65 66 Data Ascii: !function(){"use strict";function e(e){try{if("undefined"==typeof console)return;"error"in console?console.error(e):console.log(e)}catch(e){}}function t(e){return d.innerHTML='<a href="'+e.replace(/"/g,""")+'"></a>',d.childNodes[0].getAttribute("href
2024-04-18 17:07:03 UTC	622	IN	Data Raw: 66 2c 61 2b 6c 2e 6c 65 6e 67 74 68 29 29 7d 63 61 74 63 68 28 69 29 7b 65 28 69 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 6f 28 74 29 7b 66 6f 72 28 76 61 72 20 72 3d 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 75 29 2c 63 3d 30 3b 63 3c 72 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 74 72 79 7b 76 61 72 20 6f 3d 72 5b 63 5d 2c 61 3d 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 69 3d 6f 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 66 29 3b 69 66 28 69 29 7b 76 61 72 20 6c 3d 6e 28 69 2c 30 29 2c 64 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 54 65 78 74 4e 6f 64 65 28 6c 29 3b 61 2e 72 65 70 6c 61 63 65 43 68 69 6c 64 28 64 2c 6f 29 7d 7d 63 61 74 63 68 28 68 29 7b 65 28 68 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 28 74 29 7b 66 6f 72 28 76 61 72 20 72 3d 74 2e Data Ascii: f,a+l.length))}catch(i){e(i)}}function o(t){for(var r=t.querySelectorAll(u),c=0;c<r.length;c++)try{var o=r[c],a=o.parentNode,i=o.getAttribute(f);if(i){var l=n(i,0),d=document.createTextNode(l);a.replaceChild(d,o)}}catch(h){e(h)}}function a(t){for(var r=t.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: PDFixers.exePID: 6868, Parent PID: 2580

General

Target ID:	0
Start time:	19:06:57
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\PDFixers.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PDFixers.exe"
Imagebase:	0x1860fee0000
File size:	8'507'584 bytes
MD5 hash:	B4440EEA7367C3FB04A89225DF4022A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: PDFixers.exePID: 6868, Parent PID: 2580COMMON

Executed Functions

Function 0000018E30B2448B Relevance: 3.7, Strings: 2, Instructions: 1189COMMON

Download Yara Rule

Strings

@eG3, xrefs: 0000018E30B246DE
0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2$@eG3
API String ID: 0-282016728
Opcode ID: 567eff489c1f80a72f4ffdd8a7aa918faf7c19a3d83b15c33706614a890e30d6
Instruction ID: 2d84c3189d8e1dc083d5275712c50177a089afb4571e09fc1710ae7e57cd479e
Opcode Fuzzy Hash: 567eff489c1f80a72f4ffdd8a7aa918faf7c19a3d83b15c33706614a890e30d6
Instruction Fuzzy Hash: 7B82EE2021DF884FE75ACB2C94146A57FE1FF9A740F5845CFE48ACB6E2CA229C41C795

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B24F19 Relevance: 2.9, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

@eG3, xrefs: 0000018E30B246DE
0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2$@eG3
API String ID: 0-282016728
Opcode ID: 64f3576b91ce942a9af7bc813fa770695413dfba40f39d445a99518bd5dda812
Instruction ID: ecada05a8644621b53462c5403bb193f40fb76daee15a27265373d9aae8fc1c2
Opcode Fuzzy Hash: 64f3576b91ce942a9af7bc813fa770695413dfba40f39d445a99518bd5dda812
Instruction Fuzzy Hash: AAD1933021DE584FEB69CB2C9414AA57BE1FF9A740F4445CFE44ACB6E6CE219D81CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B24FC0 Relevance: 2.9, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

@eG3, xrefs: 0000018E30B246DE
0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2$@eG3
API String ID: 0-282016728
Opcode ID: 9375c28dcb8bdc32045a81a42951b70cdda3199452061d6e5dff04ca6e66cd38
Instruction ID: 588c159f0b3f9961621b4add23eff8073e19eab8c8c5b7978e7e70c6bd68e848
Opcode Fuzzy Hash: 9375c28dcb8bdc32045a81a42951b70cdda3199452061d6e5dff04ca6e66cd38
Instruction Fuzzy Hash: A0D1813021CE4C4FEB69DB2C9414AA57BE1FF9A740B4445CFE44ACB6E6CE219D81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B25046 Relevance: 2.9, Strings: 2, Instructions: 374COMMON

Download Yara Rule

Strings

@eG3, xrefs: 0000018E30B246DE
0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2$@eG3
API String ID: 0-282016728
Opcode ID: 2461931c33cd239866d9e839251f3ff589344ba0e0064878b6138912d87713bd
Instruction ID: d8d9bd560af5e30395752bd7e94e68ab8fdbd330cdc874e81fba19116b40cde7
Opcode Fuzzy Hash: 2461931c33cd239866d9e839251f3ff589344ba0e0064878b6138912d87713bd
Instruction Fuzzy Hash: 34B1823021CE4C4FEB69DB2C9414AA57BE1FF5A740B4545CFE44ACB6E6CE219D81CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B2512E Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2
API String ID: 0-2068094079
Opcode ID: 33b3e23172233dd249a47827f8ad7d617a5fb405756d7ce896d3d0b674b04a44
Instruction ID: 36a5d1dcc874d2bf67fa9964a9f875868194babeef8705e7c527e5fc5c0c68bc
Opcode Fuzzy Hash: 33b3e23172233dd249a47827f8ad7d617a5fb405756d7ce896d3d0b674b04a44
Instruction Fuzzy Hash: 4B91A33021CE4C4FEB69DB2C9414AA57BE1EF9A740B4445CFE44ACB6E6CE21AD81C794

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B251C4 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2
API String ID: 0-2068094079
Opcode ID: 6423cd119d4f6050a7b10b79f6627eeec0fe90c8d5499dc946f9ceacdc3b8701
Instruction ID: 5181113d33763ca9b751c9a49c6796f9f0f51c366b841bf762ac41aa3f5ad15b
Opcode Fuzzy Hash: 6423cd119d4f6050a7b10b79f6627eeec0fe90c8d5499dc946f9ceacdc3b8701
Instruction Fuzzy Hash: 0B71D63021CE4C4FEBA9DB1C9454A6177E1EF99750B4445CFE44ACB6E6CE21ED81C784

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B25242 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2
API String ID: 0-2068094079
Opcode ID: b61218b67ea609f1e165f2513bb2fb8bc4b2b2aed4e20833a9e45cc37185a173
Instruction ID: 5cd5937b3e1ac5de527fd122e0662f1e0da8134b7de9921f15b29ea4de4f42d5
Opcode Fuzzy Hash: b61218b67ea609f1e165f2513bb2fb8bc4b2b2aed4e20833a9e45cc37185a173
Instruction Fuzzy Hash: 8B61A43021CE4C4FEBA9DB1C9454AA077E1EF99750B4845CBD44ACB6E6CE21ED81CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B2534C Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2
API String ID: 0-2068094079
Opcode ID: 689e1bc9c8ea49c09e883d579fc7074354046600f9a1abba9e4f761154525514
Instruction ID: 5e04ff90b18b65632a80d83d8a50927bdd024038b5f9ac9b256446dc572d9678
Opcode Fuzzy Hash: 689e1bc9c8ea49c09e883d579fc7074354046600f9a1abba9e4f761154525514
Instruction Fuzzy Hash: 3951E63161DE4C4FEB99DB2CA414AA477E1EF99350F4846CBD849CB2E6DD21EC81C784

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B240A1 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

0V^2, xrefs: 0000018E30B24143

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0V^2
API String ID: 0-1437684965
Opcode ID: 8e7e01c48afeba668eddf162f17b404970ed827b0e32a9088733215e0be2662b
Instruction ID: d082d74d1647f6636e1c36478a0e4ce4fddd9dff807406f14f23fb3181813051
Opcode Fuzzy Hash: 8e7e01c48afeba668eddf162f17b404970ed827b0e32a9088733215e0be2662b
Instruction Fuzzy Hash: 79A1E32121DF884FE78A9B2C84187653FE0EF9A341F4485DFD889CB6A3DA229D41C781

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B23A17 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

pcG3, xrefs: 0000018E30B2399A

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: pcG3
API String ID: 0-176685
Opcode ID: c2f28e71a0a4277cfc449c52779925dc98c7fe77702a718b5963002ef88b51fd
Instruction ID: e15edb2b10c66fe9ad2d2737222290e719afa9c2a07f895c1122a1a9fab072ee
Opcode Fuzzy Hash: c2f28e71a0a4277cfc449c52779925dc98c7fe77702a718b5963002ef88b51fd
Instruction Fuzzy Hash: 9461B03050EF884FEB4A9B3C98146A47FE0FF1A750B1445DFE489CB2A3DA269C41C796

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B252C7 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

0h^2, xrefs: 0000018E30B24951

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID: 0h^2
API String ID: 0-2068094079
Opcode ID: 5a82a9ff51af45646be4849238fc40c66c7c8e94d612f85e077b83e40c1c7a56
Instruction ID: a5d49ea62c8308c1a9a71c6c433ae6e03d41a08b9315bdbbec7b18d0d06860d0
Opcode Fuzzy Hash: 5a82a9ff51af45646be4849238fc40c66c7c8e94d612f85e077b83e40c1c7a56
Instruction Fuzzy Hash: 3F51C43121CE4C4FEBA9DB2C9454AA077E1EF99710B4546CBD84ACB2E6CE21ED81C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA008D5 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

ZA", xrefs: 00007FFD9BA00925

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID: ZA"
API String ID: 0-1987483056
Opcode ID: d62f69084790aabb9d663ce5a19dadf825327ea0d54e026e5fb7dad883d985a1
Instruction ID: 0ee306eb8ec02ec1d2a44ccbe7594b5519d20ca43e5e02e97c3d43688e6d83ae
Opcode Fuzzy Hash: d62f69084790aabb9d663ce5a19dadf825327ea0d54e026e5fb7dad883d985a1
Instruction Fuzzy Hash: 66014932A0AB8D0FE7559B6888645E937B2FF85380F4601B6D045C71A3DE2869058740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA017F1 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b5a38594d3ca920b26991cd74747983e0596320606c4b543d707bdfd973fdd
Instruction ID: fe6379702c16d6607f353f1fe78578db8993d4919ffec580063f551bb9071af6
Opcode Fuzzy Hash: 93b5a38594d3ca920b26991cd74747983e0596320606c4b543d707bdfd973fdd
Instruction Fuzzy Hash: 40D1C9307099484FDBA5EB68C465BE977E1EFAA300F0541BEE08DC72A2DE64DD458781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA013B5 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c733e243fa38baa6160dc8463ce31f65a2945b601eb99bdcf2ee1bd696e818
Instruction ID: c22e5ae1725305f9e232fb0264b8a078408f0e4550aa2cfcf0a4487ab760066c
Opcode Fuzzy Hash: f5c733e243fa38baa6160dc8463ce31f65a2945b601eb99bdcf2ee1bd696e818
Instruction Fuzzy Hash: 0D81F831B0EA8E4FEBA5DB6C44646B87BD1FF67310F1501BAE48DC71E2DE59A9018341

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B2432F Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601cf444000d81ebdca235b83c3d33368febe7043ae8169f60c31b155906188c
Instruction ID: 0a2b30c34fc56b61aa18904eb8bc3c97a9acb732506910e56dc99e72e5d40325
Opcode Fuzzy Hash: 601cf444000d81ebdca235b83c3d33368febe7043ae8169f60c31b155906188c
Instruction Fuzzy Hash: F161CB2011EF884FEB4A8B2C88156A53FE0EF4A340F0845DFD889CF6A3DA265D55C796

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B24C5A Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08797e1cd81a582145a98832d9d80d774babe93c2c358c99e03931dba71ca6a2
Instruction ID: 09dfb9a93644ad258cd2455e0281fa5bba47577e9a16bceaf1f31947f0b69997
Opcode Fuzzy Hash: 08797e1cd81a582145a98832d9d80d774babe93c2c358c99e03931dba71ca6a2
Instruction Fuzzy Hash: 5C51992010EBC45FE74A8B3C84246913FE0EF0B384B5949CFD885CF6A3CA225D59C796

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B267F7 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182d1fd8bf7c17319c2f7f414ac6a853bb48ee342eabaf4a5a3652a7d8a24fbe
Instruction ID: 9de38b7347ff73ff0e618caac60ad315d6df774216ab9dab0c074b9669c54e4a
Opcode Fuzzy Hash: 182d1fd8bf7c17319c2f7f414ac6a853bb48ee342eabaf4a5a3652a7d8a24fbe
Instruction Fuzzy Hash: 3C41AF2120EF885FE79A9B3C842969A7FE0EF4B780F5448CB9885CF2A3DD124D44C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B23985 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead9479c6a4cb25e2595481cffbe9cf39fdf66cf09b8948b7bb281006662aee3
Instruction ID: aa0a83298372b24235de064d89be8a67447f02ca25d2947dac24809732f559ae
Opcode Fuzzy Hash: ead9479c6a4cb25e2595481cffbe9cf39fdf66cf09b8948b7bb281006662aee3
Instruction Fuzzy Hash: 1321BF3120EE8C4FE759EB6CA458A657BD0EB5A314B0405DFD48ECB2A2C9129D80C796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA01713 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce1292ea8788ee4a18fc756e40d4882dbdc2b9211dcc152b238aeaa738ace2f
Instruction ID: a9302fb58194e22a45d2e55fcf7e72defe3945af254cb5d07d3bd51dd8f161d5
Opcode Fuzzy Hash: 6ce1292ea8788ee4a18fc756e40d4882dbdc2b9211dcc152b238aeaa738ace2f
Instruction Fuzzy Hash: 0F31822164F7C94FD7A797B884656913FE1AF5B620B0A40EBE0C9CB1B3C9494C0AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA00854 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c452544eec1f76737a1f67d01d4a6daa83bc15669fb7e432a30cee5e36e1cd10
Instruction ID: 2844e8f33e54a79b95bc2e6f0fd03d4d1ded9c180584bd555afe52d9c43dd176
Opcode Fuzzy Hash: c452544eec1f76737a1f67d01d4a6daa83bc15669fb7e432a30cee5e36e1cd10
Instruction Fuzzy Hash: C801DF32A0A78CDFDB12AB7454654EA3FB0EF46205F4600ABE499C60A2DA35A6188751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA00858 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6badf68a4809890a4bc004aad5e30a09883b2e6e9a9b0c2fee6ceff9aadc4719
Instruction ID: 4513f13d12d7432fc750781f6b347045a739e3de0ce326025ab5521bab90fbf4
Opcode Fuzzy Hash: 6badf68a4809890a4bc004aad5e30a09883b2e6e9a9b0c2fee6ceff9aadc4719
Instruction Fuzzy Hash: A5012631A0A78CDFD702BB7454748E93FF0AF06205F0600EBE899C60D3DE3596188741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA0083F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f637411527339bb795f6ef86979e7b7147e6544dd11a49b2f8245d9d54659b9
Instruction ID: 329e0d26a17565032a817afba4030e33c100ae4943be991af20378297a109824
Opcode Fuzzy Hash: 6f637411527339bb795f6ef86979e7b7147e6544dd11a49b2f8245d9d54659b9
Instruction Fuzzy Hash: 8301D631A0E78C4FD721AB7858695EE7FB0FF42201F4500F7E598C7193D93995088791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA00AF1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c4fa0227ca9fb67c0c3d3f95ec9f5e94820a0484934dc797bb21d9853198af
Instruction ID: eca72b536a8184f53d3edf0561d0860491a4a63badfe029c06c84254827b5965
Opcode Fuzzy Hash: b2c4fa0227ca9fb67c0c3d3f95ec9f5e94820a0484934dc797bb21d9853198af
Instruction Fuzzy Hash: 2EF0E22060EBC94FD335C77888683E17FE2AF96300F0D44DEC0CDC6293CA9928448392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA02450 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf3f4e8651d068ba3f0748de31fa349cfaa7e9e9334cf33127dd77bd4ccb096
Instruction ID: d5951fc4e1e3c6e314dee20b7a377e4f2f274c0b08b91cd1a5530a273744684c
Opcode Fuzzy Hash: fbf3f4e8651d068ba3f0748de31fa349cfaa7e9e9334cf33127dd77bd4ccb096
Instruction Fuzzy Hash: 80E01A3061EE8C8FCB4AE72C8590E403BE0DF5B34475901C6E448CF267D554D8958751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BA00F92 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2932671716.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438aeb818b83c4dd1a42f2f9164053bfd0bbb502641e2af9e50488b920ec90c0
Instruction ID: de28817c16a4fb7229ec2260243b0dadfbae414c17f02ec7397652fbf9e8c60e
Opcode Fuzzy Hash: 438aeb818b83c4dd1a42f2f9164053bfd0bbb502641e2af9e50488b920ec90c0
Instruction Fuzzy Hash: 53E0C221B0EC8E9FCB54E3A8C0618D5B7E0EBA932031549ABC00DC728ACD24EC5587C0

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EC9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00F71 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00F69 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00F51 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EF9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EE1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00EE9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00ED9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00F49 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B00F21 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915819653.0000018E30B00000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b00000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction ID: 665f5f326d3ae0e2bbf3ea046482c1db7b3858cab3c5ff48566e006dff6938c4
Opcode Fuzzy Hash: f86a149720524edf44fffb510865ef5a26b4f11ee9aa638d1aac4159393f1c79
Instruction Fuzzy Hash: E19002144A544765D43411910C4529C64817388350FD484C1481691144DD4D07962652

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30B2A400 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2915864651.0000018E30B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018E30B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18e30b20000_PDFixers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbe02e37b954182d9803027c4eeb638a80a36a75a1fd5cf5610385dee48349f
Instruction ID: a91c6a22a595aea7754797840c5d9cef8a43e8960cb219e78587fa7e8bdc73fe
Opcode Fuzzy Hash: dfbe02e37b954182d9803027c4eeb638a80a36a75a1fd5cf5610385dee48349f
Instruction Fuzzy Hash: BF900210A0494969E95861B4041C27C14C55799381F144815081BC7190DD144A401651

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDFixers.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\css2[1].css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\QJV1CLZP.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\email-decode.min[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\font[1].eot

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
PDFixers.exe