Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file -pdf.exe

Overview

General Information

Sample name:file -pdf.exe
Analysis ID:1430825
MD5:2cec9bd88860b1b00ab4a75fce864a53
SHA1:983956af45d0f1f97524af9e8c382c3a8afd08be
SHA256:8afec5473dd48de87edaf7e4fbd34005441fd5214fe562f92f2113796603eb0b
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file -pdf.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\file -pdf.exe" MD5: 2CEC9BD88860B1B00AB4A75FCE864A53)
    • powershell.exe (PID: 7096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 2004 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)
      • WerFault.exe (PID: 3228 cmdline: C:\Windows\system32\WerFault.exe -u -p 2004 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.satsllc.ae", "Username": "ahsan@satsllc.ae", "Password": "Ahsan@12345"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: file -pdf.exe PID: 6568JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file -pdf.exe.141997d0.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.file -pdf.exe.141997d0.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.file -pdf.exe.1415eb90.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.file -pdf.exe.1415eb90.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.file -pdf.exe.141997d0.6.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x31885:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x318f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x31981:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x31a13:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x31a7d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31aef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x31b85:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31c15:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\file -pdf.exe", ParentImage: C:\Users\user\Desktop\file -pdf.exe, ParentProcessId: 6568, ParentProcessName: file -pdf.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 2004, ProcessName: RegSvcs.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file -pdf.exe", ParentImage: C:\Users\user\Desktop\file -pdf.exe, ParentProcessId: 6568, ParentProcessName: file -pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", ProcessId: 7096, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file -pdf.exe", ParentImage: C:\Users\user\Desktop\file -pdf.exe, ParentProcessId: 6568, ParentProcessName: file -pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", ProcessId: 7096, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file -pdf.exe", ParentImage: C:\Users\user\Desktop\file -pdf.exe, ParentProcessId: 6568, ParentProcessName: file -pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe", ProcessId: 7096, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.satsllc.ae", "Username": "ahsan@satsllc.ae", "Password": "Ahsan@12345"}
                    Multi AV Scanner detection for submitted file
                    Source: file -pdf.exeVirustotal: Detection: 20%Perma Link
                    Machine Learning detection for sample
                    Source: file -pdf.exeJoe Sandbox ML: detected
                    Source: file -pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, type: UNPACKEDPE
                    Source: file -pdf.exe, 00000000.00000002.1668962636.0000000003F41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: file -pdf.exe, 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, file -pdf.exe, 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: file -pdf.exe, 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, file -pdf.exe, 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: file -pdf.exeString found in binary or memory: https://github.com/Deathmax/Chest-Control/raw/master/version.txt

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, usQ5OSi3.cs.Net Code: gn83fkssBQ
                    Source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, usQ5OSi3.cs.Net Code: gn83fkssBQ

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.file -pdf.exe.141997d0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.file -pdf.exe.1415eb90.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.file -pdf.exe.13f51a78.7.raw.unpack, InsertionSort.csLarge array initialization: : array initializer size 58956
                    Source: C:\Users\user\Desktop\file -pdf.exeCode function: 0_2_00007FFD9B8867800_2_00007FFD9B886780
                    Source: C:\Users\user\Desktop\file -pdf.exeCode function: 0_2_00007FFD9B88A5EA0_2_00007FFD9B88A5EA
                    Source: C:\Users\user\Desktop\file -pdf.exeCode function: 0_2_00007FFD9B8868C80_2_00007FFD9B8868C8
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2004 -s 12
                    Source: file -pdf.exeStatic PE information: No import functions for PE file found
                    Source: file -pdf.exe, 00000000.00000000.1645514538.0000000000ADC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexPjD.exe: vs file -pdf.exe
                    Source: file -pdf.exe, 00000000.00000002.1668962636.0000000003F41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0247baaa-e03f-48a3-8585-3da4da49f424.exe4 vs file -pdf.exe
                    Source: file -pdf.exe, 00000000.00000002.1678539038.000000001E6A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs file -pdf.exe
                    Source: file -pdf.exe, 00000000.00000002.1668711200.0000000003A80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs file -pdf.exe
                    Source: file -pdf.exe, 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0247baaa-e03f-48a3-8585-3da4da49f424.exe4 vs file -pdf.exe
                    Source: file -pdf.exe, 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs file -pdf.exe
                    Source: file -pdf.exe, 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename0247baaa-e03f-48a3-8585-3da4da49f424.exe4 vs file -pdf.exe
                    Source: file -pdf.exeBinary or memory string: OriginalFilenamexPjD.exe: vs file -pdf.exe
                    Source: 0.2.file -pdf.exe.141997d0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.file -pdf.exe.1415eb90.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: file -pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, 3a7VzuwlM.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, 3a7VzuwlM.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, jrWJIjXMiC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, jrWJIjXMiC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, vGgzNQTAVFC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, vGgzNQTAVFC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, vGgzNQTAVFC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, vGgzNQTAVFC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@0/0
                    Source: C:\Users\user\Desktop\file -pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file -pdf.exe.logJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2004
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tfdqpxy.t3l.ps1Jump to behavior
                    Source: file -pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: file -pdf.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.65%
                    Source: C:\Users\user\Desktop\file -pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file -pdf.exeVirustotal: Detection: 20%
                    Source: C:\Users\user\Desktop\file -pdf.exeFile read: C:\Users\user\Desktop\file -pdf.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file -pdf.exe "C:\Users\user\Desktop\file -pdf.exe"
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2004 -s 12
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\file -pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file -pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: file -pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: file -pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: file -pdf.exe, OptionsForm.cs.Net Code: InitializeComponent
                    Source: 0.2.file -pdf.exe.13f51a78.7.raw.unpack, InsertionSort.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\file -pdf.exeCode function: 0_2_00007FFD9B8871FC push ds; retf 0_2_00007FFD9B8871FF
                    Source: C:\Users\user\Desktop\file -pdf.exeCode function: 0_2_00007FFD9B8871B1 push es; iretd 0_2_00007FFD9B8871B7
                    Source: file -pdf.exeStatic PE information: section name: .text entropy: 7.959269141980826

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeMemory allocated: 1BF40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4408Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5417Jump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exe TID: 6640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe"
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe"Jump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Users\user\Desktop\file -pdf.exeThread register set: target process: 2004Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\file -pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 680A011010Jump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Users\user\Desktop\file -pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file -pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file -pdf.exe PID: 6568, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file -pdf.exe PID: 6568, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.141997d0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file -pdf.exe.1415eb90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file -pdf.exe PID: 6568, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		1
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430825 Sample: file -pdf.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 9 other signatures 2->25 7 file -pdf.exe 4 2->7         started        process3 signatures4 27 Writes to foreign memory regions 7->27 29 Modifies the context of a thread in another process (thread injection) 7->29 31 Adds a directory exclusion to Windows Defender 7->31 10 powershell.exe 23 7->10         started        13 RegSvcs.exe 7->13         started        process5 signatures6 33 Loading BitLocker PowerShell Module 10->33 15 conhost.exe 10->15         started        17 WerFault.exe 2 13->17         started        process7

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file -pdf.exe11%ReversingLabs
                    file -pdf.exe20%VirustotalBrowse
                    file -pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                    http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                    http://www.founder.com.cn/cn0%VirustotalBrowse
                    http://www.zhongyicts.com.cn1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Deathmax/Chest-Control/raw/master/version.txtfile -pdf.exefalse
                            		high
                            http://www.fontbureau.com/designers/?file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThefile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://account.dyn.com/file -pdf.exe, 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, file -pdf.exe, 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cThefile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.orgfile -pdf.exe, 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, file -pdf.exe, 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleasefile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8file -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fonts.comfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleasefile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile -pdf.exe, 00000000.00000002.1668962636.0000000003F41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sakkal.comfile -pdf.exe, 00000000.00000002.1677506032.000000001E1C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1430825
                                                Start date and time:2024-04-24 09:13:05 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 33s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:13
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:file -pdf.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@7/6@0/0
                                                EGA Information:Failed
                                                HCA Information:Failed
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target file -pdf.exe, PID 6568 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:13:54API Interceptor1x Sleep call for process: file -pdf.exe modified
                                                09:13:56API Interceptor15x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file -pdf.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\file -pdf.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):1510
                                                Entropy (8bit):5.380493107040482
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                                                MD5:3C7E5782E6C100B90932CBDED08ADE42
                                                SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                                                SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                                                SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:NlllulJnp/p:NllU
                                                MD5:BC6DB77EB243BF62DC31267706650173
                                                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:@...e.................................X..............@..........

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tfdqpxy.t3l.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41fidajs.xs1.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxjflvyy.mfz.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzuwvbmn.prg.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                Static File Info

                                                General

                                                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.952821089577985
                                                TrID:
                                                • Win64 Executable GUI Net Framework (217006/5) 49.65%
                                                • Win64 Executable GUI (202006/5) 46.21%
                                                • Win64 Executable (generic) (12005/4) 2.75%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.47%
                                                • Generic Win/DOS Executable (2004/3) 0.46%
                                                File name:file -pdf.exe
                                                File size:693'248 bytes
                                                MD5:2cec9bd88860b1b00ab4a75fce864a53
                                                SHA1:983956af45d0f1f97524af9e8c382c3a8afd08be
                                                SHA256:8afec5473dd48de87edaf7e4fbd34005441fd5214fe562f92f2113796603eb0b
                                                SHA512:2d86653a34343fbb5524a9da31803a7999d728050260cf8a7eb8c1611efe76eb6006b8da9271ae2e42395297e3dfb802df5ee08f78829768ed25187a4721536a
                                                SSDEEP:12288:Rr33k5rHn3ewVBnapjQfnEsxJuO+90lIZoE1vJ/ZueC48lnEoCEn:Rr336rOSBniQsXdiOZoEx3cKPEn
                                                TLSH:97E4125833FD8698E0BA2F3A6572244507F2EF1B2D31E19C1DD220CE495AF86D9B4B17
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<e(f.........."...0.................. .....@..... ....................................@...@......@............... .....

                                                File Icon

                                                Icon Hash:356d6165656175d6

                                                Static PE Info

                                                General

                                                Entrypoint:0x140000000
                                                Entrypoint Section:
                                                Digitally signed:false
                                                Imagebase:0x140000000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6628653C [Wed Apr 24 01:49:48 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:

                                                Entrypoint Preview

                                                Instruction
                                                dec ebp
                                                pop edx
                                                nop
                                                add byte ptr [ebx], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax+eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000xbf8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xa83dc0xa84005dad1887328e6f2180d0d907e3dc7b03False0.9624074224554234data7.959269141980826IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xac0000xbf80xc0051e4b3e848b9eac9215acfe80029f05bFalse0.541015625data6.015035342241803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xac1000x576PNG image data, 158 x 158, 8-bit/color RGBA, non-interlaced0.6552217453505007
                                                RT_GROUP_ICON0xac6880x14data1.15
                                                RT_VERSION0xac6ac0x34cdata0.42417061611374407
                                                RT_MANIFEST0xaca080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Network Behavior

                                                No network behavior found

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:09:13:53
                                                Start date:24/04/2024
                                                Path:C:\Users\user\Desktop\file -pdf.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\file -pdf.exe"
                                                Imagebase:0xa30000
                                                File size:693'248 bytes
                                                MD5 hash:2CEC9BD88860B1B00AB4A75FCE864A53
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1679111578.000000001F340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1673374422.000000001415E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:09:13:55
                                                Start date:24/04/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file -pdf.exe"
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:09:13:55
                                                Start date:24/04/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:09:13:55
                                                Start date:24/04/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x1bfc5950000
                                                File size:45'472 bytes
                                                MD5 hash:DC67ADE51149EC0C373A379473895BA1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:09:13:55
                                                Start date:24/04/2024
                                                Path:C:\Windows\System32\WerFault.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 2004 -s 12
                                                Imagebase:0x7ff6eeee0000
                                                File size:570'736 bytes
                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 00007FFD9B886780 Relevance: .5, Instructions: 543COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d74e682209832823dcc54352a5c00fc7935fdb41648c8f62af13f0d5d247b6e5
                                                  • Instruction ID: 6c98bd80478af30fc6e86f0afdff081e16b120f28aa01678e0bfcf20f1f937b6
                                                  • Opcode Fuzzy Hash: d74e682209832823dcc54352a5c00fc7935fdb41648c8f62af13f0d5d247b6e5
                                                  • Instruction Fuzzy Hash: 5F02013190E7C94FE3269B648C655617FB0EF57310F1A46BFD0DAC70A3EA286906C792
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88A5EA Relevance: .4, Instructions: 450COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a5d289945bf61333e1d739019ff01842a8067b7f43960db772b8d6c247c4507
                                                  • Instruction ID: 865aed050c9c13c7449f61f718fbfa9d6630e3de44aa3b8e81411663d275c93a
                                                  • Opcode Fuzzy Hash: 3a5d289945bf61333e1d739019ff01842a8067b7f43960db772b8d6c247c4507
                                                  • Instruction Fuzzy Hash: 8DE1D02190E7C95FD3269B7488655A17FF0EF57320B0A42EBD0D9CB0E3E62C6946C762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B887760 Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $f
                                                  • API String ID: 0-2452994617
                                                  • Opcode ID: 54d0137466308b88caadd2817c5adb3eabf4be51b218f978c781555d8db10007
                                                  • Instruction ID: 46c8bec6ca2912aa77aa7dabe6437f5629a1a584a22ae701fcd922180e31786b
                                                  • Opcode Fuzzy Hash: 54d0137466308b88caadd2817c5adb3eabf4be51b218f978c781555d8db10007
                                                  • Instruction Fuzzy Hash: 5A01F59060FBC44BF352A77888647627FE1AF8A304F1501FAE099CB1A3C9385905C352
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88AE5B Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ^
                                                  • API String ID: 0-1590793086
                                                  • Opcode ID: ad6413b6064788ea427cec79f11b1d8aff398847b9ee1392f351e5821d32d0fb
                                                  • Instruction ID: ce63704e7f13bef7e36bef21f7873a9a2fd57484f67972c2718965ac7dbf900c
                                                  • Opcode Fuzzy Hash: ad6413b6064788ea427cec79f11b1d8aff398847b9ee1392f351e5821d32d0fb
                                                  • Instruction Fuzzy Hash: C131E52090E7C95FD32767748C605657FB1EF53310B0A86EBD099CB0E3E66C684AC3A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B888610 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: V
                                                  • API String ID: 0-1342839628
                                                  • Opcode ID: c17b2a9fdeddca6aa2efe04dc271f3f97314eb81947432fb38c61e01cded03b5
                                                  • Instruction ID: 69916bc5ca075b60013b924bf00d863a5db874bf1b4b3b86e14ae1f7c4b86d5b
                                                  • Opcode Fuzzy Hash: c17b2a9fdeddca6aa2efe04dc271f3f97314eb81947432fb38c61e01cded03b5
                                                  • Instruction Fuzzy Hash: EE319C61A0E7C54FE32797348C656A43FB1EF57210B1A81FEC099CB1E3E62C594AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B887046 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4
                                                  • API String ID: 0-4088798008
                                                  • Opcode ID: d9208351452c145bb4c4515305c5c8e72d849549b09a4f19111bf8a7fdfd849c
                                                  • Instruction ID: d0c27d77fad749b80ecd44e10da309d9da7e749a4dedad441befb1ea7db9e543
                                                  • Opcode Fuzzy Hash: d9208351452c145bb4c4515305c5c8e72d849549b09a4f19111bf8a7fdfd849c
                                                  • Instruction Fuzzy Hash: DD31D471F1DE4E4BE7A4DB9C8825668B6E1FF4C300F4501B5E42CD72E6DA38AD408781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B888696 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: o
                                                  • API String ID: 0-252678980
                                                  • Opcode ID: 9b760920bed7bbd2636acf7679b9db1dc25b48ecba7bc5a934b3a85681510495
                                                  • Instruction ID: bd4a657dc214e68d449030b954b20afe949971c7e09265c9ca33480e227107f9
                                                  • Opcode Fuzzy Hash: 9b760920bed7bbd2636acf7679b9db1dc25b48ecba7bc5a934b3a85681510495
                                                  • Instruction Fuzzy Hash: C321555190E7C64FE323977488652A43FB0AF17210B1A85FED0D9CB0E3E62C584AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C7A3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 7
                                                  • API String ID: 0-1790921346
                                                  • Opcode ID: 4304caaa301683bbfa4dde3a4d60c7ed9f188143b674dd97073d7463e9420829
                                                  • Instruction ID: d5812611c7a9550b0a85ae409d64d6f4427e88ca8052c9db85926911ee0e2980
                                                  • Opcode Fuzzy Hash: 4304caaa301683bbfa4dde3a4d60c7ed9f188143b674dd97073d7463e9420829
                                                  • Instruction Fuzzy Hash: 06119130B1CA194BD72CA62C886547D73D2EB99700B25943DD4ABC22E7CD38E9034681
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C818 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ^
                                                  • API String ID: 0-1590793086
                                                  • Opcode ID: 8c401a6ca3d955e615c90698ab7e3c09680e93c41e63f82b7808fcd0e21c2589
                                                  • Instruction ID: c606b8823697b19f53f26319d60c16093c9ba30e1f461d05494bbd554abecafa
                                                  • Opcode Fuzzy Hash: 8c401a6ca3d955e615c90698ab7e3c09680e93c41e63f82b7808fcd0e21c2589
                                                  • Instruction Fuzzy Hash: 3611E330F5DA5A8BE73CAB6884641BC37E1EB48301F21503DD4EB821D6CE38EA428A40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B886F56 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C=
                                                  • API String ID: 0-1728955467
                                                  • Opcode ID: 8d4dd0a229bd4afcf7dd69028c645d54fd3ff7e0b77a12a41f054543ef328964
                                                  • Instruction ID: 7da151cd20ddf5a975f61e3ac8a5a10c83096b67feecfaa5a6a4c1f9db67317a
                                                  • Opcode Fuzzy Hash: 8d4dd0a229bd4afcf7dd69028c645d54fd3ff7e0b77a12a41f054543ef328964
                                                  • Instruction Fuzzy Hash: 2B0161A1B0AA894FE7A4D7A844717A46AD2EF9D300F1940BED09DC72E7DD38AD468301
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C789 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 7
                                                  • API String ID: 0-1790921346
                                                  • Opcode ID: ca99f0f2a29baa556e4d6b68566b72d4100cd88302a292c9fecb66b70f487c17
                                                  • Instruction ID: 4d9836622683b3df1bb5d278be60b3756085ee15e448c8ac0dd5e966d74ae179
                                                  • Opcode Fuzzy Hash: ca99f0f2a29baa556e4d6b68566b72d4100cd88302a292c9fecb66b70f487c17
                                                  • Instruction Fuzzy Hash: 4401F230F1C9094BE73CAB2884644BD73E1EB49300F21543DD0AB821D7CE39EA424B41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8891D6 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C=
                                                  • API String ID: 0-1728955467
                                                  • Opcode ID: 666d2f6288c1ab051932c94177d58f68d6ee89f6cf32ae0af421b7750a801b90
                                                  • Instruction ID: 06db4abbe4b08dcafd087769f33bf24cd76edca4328e9fe84cae87c13334c51b
                                                  • Opcode Fuzzy Hash: 666d2f6288c1ab051932c94177d58f68d6ee89f6cf32ae0af421b7750a801b90
                                                  • Instruction Fuzzy Hash: 2CF02862A0DA4A4FE764CBAC486C1583AD2EFAD340F45027DF0ACC72E2DA281D058301
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88B639 Relevance: .6, Instructions: 558COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6707d8cf934574b0c13fdf036b73bec937a9d5dafdbae35ca1c812c10bf12ea8
                                                  • Instruction ID: 6bb43a63edc6221937e15379f53fbab6338b3cb6fca336d0bc6b7fa4386f8932
                                                  • Opcode Fuzzy Hash: 6707d8cf934574b0c13fdf036b73bec937a9d5dafdbae35ca1c812c10bf12ea8
                                                  • Instruction Fuzzy Hash: C2121A3190EBCA4FE725D7A488216653FB4EF5A300F1945FBC099C72B3EA3DA50A8751
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B881CB5 Relevance: .3, Instructions: 286COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70a1bd3f6161a5fe50d79fbe231af024660a1e5afa229f8994335eb308c95718
                                                  • Instruction ID: ecbff2bd839ec1e37bf43e7d259945088ee139b7e9f5512e0060672882c8fb4b
                                                  • Opcode Fuzzy Hash: 70a1bd3f6161a5fe50d79fbe231af024660a1e5afa229f8994335eb308c95718
                                                  • Instruction Fuzzy Hash: 24B1F970A14A1D8FDBA8EB18C8A5BA8B3F1FF59300F1045E9D01EE7695CE75A981CF01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B881CA5 Relevance: .3, Instructions: 278COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff4d3873521978905a48ebb59da6904b6b4f917fa9676c1484e2450bd05f7872
                                                  • Instruction ID: 0074b861ce27abb914232fd606cf515ef60043f980f040d06c040862f2535744
                                                  • Opcode Fuzzy Hash: ff4d3873521978905a48ebb59da6904b6b4f917fa9676c1484e2450bd05f7872
                                                  • Instruction Fuzzy Hash: DDB12C70B15A1D8FDBA8EB28C8A9BA8B3E1FF59300F1101E9D01DD7695CE75A981CF01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B881228 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b42cea219c9029a30eeb93e885701d5c41d22629c6f0dc1a53d0a8f41bba3ee2
                                                  • Instruction ID: e0a92f20d895bd9f2696f06af85b5c3098edf2ee12b7500754c2d4450eddd2ce
                                                  • Opcode Fuzzy Hash: b42cea219c9029a30eeb93e885701d5c41d22629c6f0dc1a53d0a8f41bba3ee2
                                                  • Instruction Fuzzy Hash: A481D171F0AE4E4FDB94CB9898646E977F2FF98300F1501BAE459E32A2DA346A018741
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B881766 Relevance: .2, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a4e84ef8bd77af85d79b29f6ad15b0102d7abe294afd3b4de84ecad7fe59221
                                                  • Instruction ID: 0f4eb53ad8ec123d52eb68072845406ed605079688dfc58b1fc4c6be571fdf49
                                                  • Opcode Fuzzy Hash: 3a4e84ef8bd77af85d79b29f6ad15b0102d7abe294afd3b4de84ecad7fe59221
                                                  • Instruction Fuzzy Hash: 87913071E0991D8FEB98EB58C8A5AEDB3B1FF58300F1041BAD05DE3296DE346981CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C424 Relevance: .2, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6782c8b2a729e2f84eb386fa3679b8518b2c979fdab1c97d8fc4a602639defef
                                                  • Instruction ID: 58793db32406a7e51befe4452eef7c48a28440072085eae1b5f7c8dada769844
                                                  • Opcode Fuzzy Hash: 6782c8b2a729e2f84eb386fa3679b8518b2c979fdab1c97d8fc4a602639defef
                                                  • Instruction Fuzzy Hash: 32616630A0E7C54FD72ADB6488685643FB1EF57300B1A41EEC09ACB0E7D928E806C792
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C4A3 Relevance: .2, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 094cedcaab271fd184a44ceb3b939704bdb05e39bd8db941c2344f7d4db8115e
                                                  • Instruction ID: ede950d90b31098dfc84369c35034cd2b1e8c4cd52354722274c4c2e3cc63a59
                                                  • Opcode Fuzzy Hash: 094cedcaab271fd184a44ceb3b939704bdb05e39bd8db941c2344f7d4db8115e
                                                  • Instruction Fuzzy Hash: 3361393160E6854FDB1ACB64CC699613FB1EF6731071A42EAC08ACB1F7D928EC06C752
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B887910 Relevance: .1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f80b2f46bb25eee4a57f5e32d8c2ed08b1a3a22d9f4d3baa91d3ded44bf08808
                                                  • Instruction ID: f46bb982198e9fd5715b74ae42912010a6ab81758522218645dfa141a90f1b92
                                                  • Opcode Fuzzy Hash: f80b2f46bb25eee4a57f5e32d8c2ed08b1a3a22d9f4d3baa91d3ded44bf08808
                                                  • Instruction Fuzzy Hash: D8414C71A0FB894FE7169B648CA51613BB0DF5A310B1601BFD059C71F3E92D2906C352
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88A496 Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f230945ab3ee0802c4398ff7c869f4c1df6561687de08d421970500675c0d6a9
                                                  • Instruction ID: 2d6d6146497ef3e24553486201aa90fa91a7f3109762185f6fec4951a970c0ed
                                                  • Opcode Fuzzy Hash: f230945ab3ee0802c4398ff7c869f4c1df6561687de08d421970500675c0d6a9
                                                  • Instruction Fuzzy Hash: 9941C33190D7C98FD326DBA488A55617FF0EF1B314B1942EED099CB0E3E638A946C752
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88A41A Relevance: .1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03294357003364a2d265b18f40531da8d0f9f4f2bc1855c79fe6d2a3402a2fda
                                                  • Instruction ID: 3115c0a062868048e565c0314fcabf9754cb96c8e028dca6566f11935b456409
                                                  • Opcode Fuzzy Hash: 03294357003364a2d265b18f40531da8d0f9f4f2bc1855c79fe6d2a3402a2fda
                                                  • Instruction Fuzzy Hash: A241D53190D7898FD316DFA4C8A55617BF0EF1B310B1942EED089C71A3E678AC46C792
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B881AB7 Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4cd0a1a33766f89bf5ca8c4ae89b2d874510267259cfd3f165458ed72c30ab3a
                                                  • Instruction ID: 0a38d9066250cf2232e38f7e296bcccfe5976958fd19a9862452a206e2dc7189
                                                  • Opcode Fuzzy Hash: 4cd0a1a33766f89bf5ca8c4ae89b2d874510267259cfd3f165458ed72c30ab3a
                                                  • Instruction Fuzzy Hash: 4441943060AA4E8FDB98EF64C864AE977A1FF59300F1006BDD41DD72A6CE35AD85CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C575 Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1147ef52c389831bcaf8fa54e5e4f7fec856c2f52a100057f1db7650e24b042f
                                                  • Instruction ID: 909ca5f2c392cf1e95eb0b6a4edbf46720c38d280eb44a072c06efe3e1baac9f
                                                  • Opcode Fuzzy Hash: 1147ef52c389831bcaf8fa54e5e4f7fec856c2f52a100057f1db7650e24b042f
                                                  • Instruction Fuzzy Hash: F941EE2190E7C54FD72397B48C751A13FB0AF57210B0A41EBD0D9CB0A3D928A84AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C5BF Relevance: .1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59eef34b97dd59f124691cab8986f27b423d6f424d5c163b6c453e6c5255b93e
                                                  • Instruction ID: e7f009b49327d1eb5253c3814d9dc7f08afa29d4cd7a89ff31d0b45d023f0ae5
                                                  • Opcode Fuzzy Hash: 59eef34b97dd59f124691cab8986f27b423d6f424d5c163b6c453e6c5255b93e
                                                  • Instruction Fuzzy Hash: 2641EF6190E7C54FE7239BB48C795A53FB0AF57310B0A41EBD4C9CB0E3D9689846C762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C59F Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ed8845a3b85c15ed10187064601b3d33ac61e024ca2bfa3614df24150c9d772
                                                  • Instruction ID: 06c75273ae4f7554e86404b17eb38c4677ac1c4be6b3e21a65d22ac18dab07e5
                                                  • Opcode Fuzzy Hash: 5ed8845a3b85c15ed10187064601b3d33ac61e024ca2bfa3614df24150c9d772
                                                  • Instruction Fuzzy Hash: DD41DC6180E7C54FD72797748C795A13FB09F97210B0A41EFD4D9CB1A3E968A846C362
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8885CF Relevance: .1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cdc281ec0f98224cf7e06b465635fdb8a2cdd28467b683807a6d4d54bca74104
                                                  • Instruction ID: e5ada281f315e75ab8b05f65231f9316d7ddd993a3afabf87cb1ea17805ede5e
                                                  • Opcode Fuzzy Hash: cdc281ec0f98224cf7e06b465635fdb8a2cdd28467b683807a6d4d54bca74104
                                                  • Instruction Fuzzy Hash: D241C011A0E7C64FE32687348C652A53FA1EF57210B1A41FED09ACB1E3E92C594BC352
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88864C Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 62a654a180606b86732857836ad7a564bad527f3f06248466d483400e12783ed
                                                  • Instruction ID: b137bbed30290e26201c9a38a489b25584059558ae2a2210a196ec8a9566bf9d
                                                  • Opcode Fuzzy Hash: 62a654a180606b86732857836ad7a564bad527f3f06248466d483400e12783ed
                                                  • Instruction Fuzzy Hash: DE31E261A0E7C54FE32A97348C752643FA1EF57210B1A81FED09ACB1E7E92C5906C752
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8872A2 Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5112a9b71351ab06c7160ed5d2ceac29062839dfc2ced73b266214209e7683ef
                                                  • Instruction ID: fb424ceb3a6bb32652bbb1598b9a7aac4739189bd0ecca3fa19c5cd91880ea8f
                                                  • Opcode Fuzzy Hash: 5112a9b71351ab06c7160ed5d2ceac29062839dfc2ced73b266214209e7683ef
                                                  • Instruction Fuzzy Hash: 8E31A461F09D0E8FEBA8EBAC9465B7976E2EF5C300F5601B5E42DD72A6CE34AC414341
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C608 Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d43c03ef062546aa4766f5270fed03142b6b5c1f8bb3216083dafbcc746cfdcd
                                                  • Instruction ID: 78461899aa22fe2b836c7434a4db8fc26c2b300a5528141c305586b5e6417d12
                                                  • Opcode Fuzzy Hash: d43c03ef062546aa4766f5270fed03142b6b5c1f8bb3216083dafbcc746cfdcd
                                                  • Instruction Fuzzy Hash: 2331BC7140E7C54FD7239B748C695A17FB0EF67210B0A42EFD4C9CB1A3EA589846C362
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88906E Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5e4314901f9465ba0e87b21497d569533b589213816cffe3bdad1eb278bbc92
                                                  • Instruction ID: 280a9634a466ebd7aa54e6ea32cf1b5b7cc5b4bd0070c610b7eaa011193ffc0d
                                                  • Opcode Fuzzy Hash: c5e4314901f9465ba0e87b21497d569533b589213816cffe3bdad1eb278bbc92
                                                  • Instruction Fuzzy Hash: 70314662F0EB4D4BE7A49B9C5C2A62577C1EF9C300F4615BAE15CC3293DE78AD424382
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88695A Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59ac1600f736602224060fe6a8b5bbd901069807e0c3d3171f659bec4e95d476
                                                  • Instruction ID: a193c82a5fb2e2253e068b854505e63650a9205aaf4c6e69d8430b1c2d973d81
                                                  • Opcode Fuzzy Hash: 59ac1600f736602224060fe6a8b5bbd901069807e0c3d3171f659bec4e95d476
                                                  • Instruction Fuzzy Hash: EB2192A1E09A4E4FEF58AB988C655ECBBB1FF68300F4501BAD068E71D7ED3465418781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B886C90 Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8bf191536b4af6135d72b5055d95af3e1d4f00bb1488395114051b445886df81
                                                  • Instruction ID: d9398a4bb8cab141f149a667caca11261262d3edaf4bd6be8e77c10bfca2fc94
                                                  • Opcode Fuzzy Hash: 8bf191536b4af6135d72b5055d95af3e1d4f00bb1488395114051b445886df81
                                                  • Instruction Fuzzy Hash: 9F21D5B1A0DE8D0FEBA4DFAC84683A43BE2EB69301F05417B905CD32A6DE3459048781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88AC19 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78ba07b93c1ec8be3a613dd3d92006613fb63aaedc26a05f299002052f4d4fcf
                                                  • Instruction ID: 79a2170b6958a332e5de801906a52d4f476737d1363777f4d26ef49d29cb9c54
                                                  • Opcode Fuzzy Hash: 78ba07b93c1ec8be3a613dd3d92006613fb63aaedc26a05f299002052f4d4fcf
                                                  • Instruction Fuzzy Hash: E3219061A0EBCA5FE35797744C255907FB1AF13210B0E42EBC099CB1F3E66C694AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88AC81 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50ae45c8ae50da3c1fd7f470713a7fc20d5d12f0d10d33cf6d8339482e8c340a
                                                  • Instruction ID: 9d90778dc03ee94c65c158ccc2bc066b39fa20e59c93478f38dfa52973415512
                                                  • Opcode Fuzzy Hash: 50ae45c8ae50da3c1fd7f470713a7fc20d5d12f0d10d33cf6d8339482e8c340a
                                                  • Instruction Fuzzy Hash: 54218C6190EBCA5FE31357744C215A07FB1AF13210B0E42EBD099CB1F3E52C694AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8857B3 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b14f4f6f74df01479e635b91d07fa9e0acd8a27e49b6d6a0e5aca96e2b971fe9
                                                  • Instruction ID: 9ef959131cb01aca6e5f3b3b550d066c14cdee945225c20573f5ad7abd3b11f4
                                                  • Opcode Fuzzy Hash: b14f4f6f74df01479e635b91d07fa9e0acd8a27e49b6d6a0e5aca96e2b971fe9
                                                  • Instruction Fuzzy Hash: 1B11B23190DA8E8FDB91DFA8D8256ED7BF0FF5D310F05007AD419D31A2DA7859418781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88098D Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9579de172fc7a60e218f8e0ef539f46f4627af6100e37d360178a7e57e81e77
                                                  • Instruction ID: 627ed4db985a6cb18c80d18af47a0645e4e64e492c825c6a25cb6da26ae315f9
                                                  • Opcode Fuzzy Hash: c9579de172fc7a60e218f8e0ef539f46f4627af6100e37d360178a7e57e81e77
                                                  • Instruction Fuzzy Hash: 0E11C830919A4E4FEB54EF64CC95AF97BA0FF19300F4101BAD41CD71A6DE38A951C750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88AC9C Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11443bb53b7db4f2cce4aad001c8c5967c09c84475447cf07ce1e479c1771f5b
                                                  • Instruction ID: 5018b6de2959c9d26d281500fcba4e0e493c0644839cc32c1ff463df2f4972b7
                                                  • Opcode Fuzzy Hash: 11443bb53b7db4f2cce4aad001c8c5967c09c84475447cf07ce1e479c1771f5b
                                                  • Instruction Fuzzy Hash: 9F21475190EBCA5FE35757B44C252A07FB0AF07210B0E42EBD0E9CB0E3E51C284AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B880855 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45f50eca903be26114d6f120016a7eb0841ca76c378a9fdf5cf417933efd66df
                                                  • Instruction ID: 594b1ed2cfb6f5b31dcba1c04719681411e9b1318777b01410f3370e1bc02e64
                                                  • Opcode Fuzzy Hash: 45f50eca903be26114d6f120016a7eb0841ca76c378a9fdf5cf417933efd66df
                                                  • Instruction Fuzzy Hash: 27115121A1FBCA4FF76657745C760E87FA09F17B10B0A40F7C4A4CA0F3D92969858356
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88ACEC Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e63ffadc5e003a7426a004ddc754f8c4bf1062f9c531b31d46d36478c4ecb115
                                                  • Instruction ID: cd86c67d1ecc83482db9837207dac34b49e687962481a40ebc1ef26bf5af2b58
                                                  • Opcode Fuzzy Hash: e63ffadc5e003a7426a004ddc754f8c4bf1062f9c531b31d46d36478c4ecb115
                                                  • Instruction Fuzzy Hash: 161100A194EBCA6FE35357B40865190BFB0AF17210B0E82EBC099CB1E3E55C194AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B885D75 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05e8f58599c92ea5fbf2f584d6c640c9ff242c7078502d0ddfe7512c2f14b71f
                                                  • Instruction ID: 0a6d77276faa7f55a80765275702a16a74293c5aa644519f8e76094912904ca0
                                                  • Opcode Fuzzy Hash: 05e8f58599c92ea5fbf2f584d6c640c9ff242c7078502d0ddfe7512c2f14b71f
                                                  • Instruction Fuzzy Hash: AA01D83050EBD91FC796CB28D4705E67FF1EF89260F4505BFE485C72A2CA249A45C782
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8804E0 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1307dd0b6f6e0cb2bd77e42319534c1bbe9267deaadc7aceabd147f4149dc82
                                                  • Instruction ID: 55aed959f0de0c849c691efde73504c32e6fc6906dcfc7c454540d673ccc6a3b
                                                  • Opcode Fuzzy Hash: c1307dd0b6f6e0cb2bd77e42319534c1bbe9267deaadc7aceabd147f4149dc82
                                                  • Instruction Fuzzy Hash: F4011A31A1990E8FDF90EF98D8556EEBBF1FB5C311F01013AE419E32A4DA75A9508B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C7EB Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4128e1fadd37648e54bef59ea2c7c0170760b8cad90debcfe3358dd3097a7423
                                                  • Instruction ID: 25b23f8fca73570e431c99fa8f81d33b75670abd9bbf5d7ad7c3c4b43e2afecf
                                                  • Opcode Fuzzy Hash: 4128e1fadd37648e54bef59ea2c7c0170760b8cad90debcfe3358dd3097a7423
                                                  • Instruction Fuzzy Hash: B4019230B1894A4BD73CAB2884645B833E2EB49305F20503ED4ABC61E7DE38EA435A40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B888E4E Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e79f2917728f2057ff1bd3a3caa51ec2d517b484fa4870b127a7f5181834542d
                                                  • Instruction ID: b6ad1becb59a68a5830557df37bfb8cfd6ec157679187a556728d40e2409fc60
                                                  • Opcode Fuzzy Hash: e79f2917728f2057ff1bd3a3caa51ec2d517b484fa4870b127a7f5181834542d
                                                  • Instruction Fuzzy Hash: 94014970D0951DAFD764AF50CC59EF637A8EF0A310F01007DE46EC61A2EA34AE82C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B888C8A Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4554603db2b1a2c4dccc66b00d192ea09457ecdecdc93c60f2136917f4dd58a8
                                                  • Instruction ID: ab6185fbd5b1a7b1be28cbbbecf5fb8d98d9b1f16c05fbc2bcb5e822a1475542
                                                  • Opcode Fuzzy Hash: 4554603db2b1a2c4dccc66b00d192ea09457ecdecdc93c60f2136917f4dd58a8
                                                  • Instruction Fuzzy Hash: 1B018860B1BA890BF7949BAC886126867E3FBC8340F55017A90A9C729ADE385D074741
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88C74D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0fed7a063eb66a38a1359faf99acc5eacb7b01d20fa0c7d8f1bfc00ef4b73d66
                                                  • Instruction ID: 7ef8cc2beeb0d1f2aef5c6a4cac17ce60d8bf8dd1572795e8b86e85d264f7070
                                                  • Opcode Fuzzy Hash: 0fed7a063eb66a38a1359faf99acc5eacb7b01d20fa0c7d8f1bfc00ef4b73d66
                                                  • Instruction Fuzzy Hash: 0101A730B6D94947E738AB28C8A45F833D2EF59305F21513DD4ABC21D7CE39EA424A40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88722D Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b41f5eb2391c365ba1a358ae81281fced4e4e0d15b7468afbbdc57ef8cfc339a
                                                  • Instruction ID: df6534383297194bafc3af6060de79f9031ac824ead404d81d712a3a98cec4b4
                                                  • Opcode Fuzzy Hash: b41f5eb2391c365ba1a358ae81281fced4e4e0d15b7468afbbdc57ef8cfc339a
                                                  • Instruction Fuzzy Hash: 26012121F0694E4BEBA8DBA884646B862E1FF48305F51007DE41EC71E6DE39AD418700
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B887373 Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2827d531d9149d0688a72f3ac06014e8ba5f11161675b3b7fdff4cb660b41f3d
                                                  • Instruction ID: fb338d0116e06a04031e0f60f76211de095089056182ee8fa874353d483ad901
                                                  • Opcode Fuzzy Hash: 2827d531d9149d0688a72f3ac06014e8ba5f11161675b3b7fdff4cb660b41f3d
                                                  • Instruction Fuzzy Hash: 5BF03651F09D4E4BEFA8D7A8847597862E2DF58300F950079D42DC71A7DE38ED414301
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8892E9 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b68e55946c20c95d036baadd9645672e56e0468642e7ca6d39a302280362289
                                                  • Instruction ID: 8bf80bd8efa8c8e160974a215313f4356321b2e602773c4ef3c094df03097ea2
                                                  • Opcode Fuzzy Hash: 5b68e55946c20c95d036baadd9645672e56e0468642e7ca6d39a302280362289
                                                  • Instruction Fuzzy Hash: 9501A231E0EA8E8BE765C764C858755BBB2FF49300F5586FAD0AC870D6CB386981CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B888D04 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1fe2cff46630a11a5ec63c324173e2d7ac2af5b7dba2ec197a20064eb15739d8
                                                  • Instruction ID: 7a7bb3cd54aead8f0331d06fb322387c5a1aabca8b31044471cb2e7b6b352835
                                                  • Opcode Fuzzy Hash: 1fe2cff46630a11a5ec63c324173e2d7ac2af5b7dba2ec197a20064eb15739d8
                                                  • Instruction Fuzzy Hash: 3DF0B451B19B8E0FE795D75844716696BE3EFD9200F1445B9804C87196DA39A8028305
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8876DC Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94cb34c121b6dee37a96a0416c71d5f9099cb37bb913250fcdc7c2e1abbf35ac
                                                  • Instruction ID: a008081fe8e159697ca5463f9e76608bcfb38048e535615f8b7e358088a5e04a
                                                  • Opcode Fuzzy Hash: 94cb34c121b6dee37a96a0416c71d5f9099cb37bb913250fcdc7c2e1abbf35ac
                                                  • Instruction Fuzzy Hash: 68E09232A1851506E32CA619985297432D0E745721F154336DCEBC32E1F82CA96502C6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88862B Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ca3afa465bb1ebfac576923293d4c7f120ce4ff25af67c9a61ee9149ae2c82c
                                                  • Instruction ID: 29a3a58799ec6f2f6077ccfd348511821347d0800a914fe3747e64418d2395d5
                                                  • Opcode Fuzzy Hash: 9ca3afa465bb1ebfac576923293d4c7f120ce4ff25af67c9a61ee9149ae2c82c
                                                  • Instruction Fuzzy Hash: B0E092307059094FD714EB0CDCA09287393E7D8761B20422AC01AC7298DD34ED46C782
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B885D3A Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a862ea4a056d7a8885b6c654dbb664a52d8a63f880b7274dcc3da810d802f0b
                                                  • Instruction ID: ea9d822094aeef4ddb2ba8ea7509cc2bc1bd3f5991c98fb96704b2d45d5f6945
                                                  • Opcode Fuzzy Hash: 8a862ea4a056d7a8885b6c654dbb664a52d8a63f880b7274dcc3da810d802f0b
                                                  • Instruction Fuzzy Hash: A2E04F61719D090B978CBF5CA8D05A97290EB5822035003F7D92AC72CEEE24D4828781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8812BB Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2fbb2325ac23db3158fa0210be27f5a68d56327806ba798fe34d1ecad8b1ad42
                                                  • Instruction ID: 0254c045d2cdd4d8d10333d3871f5eafc0bce77fe29f127c9f0463776c1d75bb
                                                  • Opcode Fuzzy Hash: 2fbb2325ac23db3158fa0210be27f5a68d56327806ba798fe34d1ecad8b1ad42
                                                  • Instruction Fuzzy Hash: 81F01571919A1A8EDBA8FA18C450AA8B3F0FF54300F0041EA9069A3296EF306981DF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88B3A5 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 416e483bf670feece8de75f08fe6a44af80bea676ffae8444156042bea69b69d
                                                  • Instruction ID: ef11ca4e8079807bed95340145f94151edfdcef31dd29cad75358bb3d4c06df8
                                                  • Opcode Fuzzy Hash: 416e483bf670feece8de75f08fe6a44af80bea676ffae8444156042bea69b69d
                                                  • Instruction Fuzzy Hash: 24E0122140F7C94FD7139B748C215A5BF70AF47100F0E42DBD5988B0A3D6685618C352
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88AA70 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0dbb94c26f6adc03874efcc23634b7ef23e76ade16aeacd50668677d09743634
                                                  • Instruction ID: 2695d11a45c05279c33a1eaa738c255aadced95b5667cf8188c47c2b80dd106d
                                                  • Opcode Fuzzy Hash: 0dbb94c26f6adc03874efcc23634b7ef23e76ade16aeacd50668677d09743634
                                                  • Instruction Fuzzy Hash: 4AE0E6317089095FE75496189C526A97287D7D9761B258276C016C36DEDC38A91906C1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88B249 Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c68518e3845918303f721dd42566dc0ded219a3466bbf3411a7acbaa9f1fc632
                                                  • Instruction ID: e08cde16e9e515e3edb33c422bed1fa1696ff7ba37c95af054c5f996bf7f2d29
                                                  • Opcode Fuzzy Hash: c68518e3845918303f721dd42566dc0ded219a3466bbf3411a7acbaa9f1fc632
                                                  • Instruction Fuzzy Hash: A2E0C231B088094FE319FB4498517B832C5E749390F15023ADC2AC32D2FE2859550686
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8813B5 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd60c083f53520815108aba23edeb4c6bae9084de3f1f79c36cfd112607c940e
                                                  • Instruction ID: 2d8f0b276100eb40943126c7b99ec2ef31c9cac0d4486c6b6190da0944a84956
                                                  • Opcode Fuzzy Hash: cd60c083f53520815108aba23edeb4c6bae9084de3f1f79c36cfd112607c940e
                                                  • Instruction Fuzzy Hash: 2CE0C2B162594F9FD788BE89CC419D5B3A1FF58200F0001F49819C3186EE70B9058780
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B886630 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a553ac09a704f13eee8eaaf903fda79a940b786217f55819a6b8533018c4ad98
                                                  • Instruction ID: 493b2e0599e5f4a837cb461cb73cdf8de093bfbd93580f5b8d67c3782c75f9eb
                                                  • Opcode Fuzzy Hash: a553ac09a704f13eee8eaaf903fda79a940b786217f55819a6b8533018c4ad98
                                                  • Instruction Fuzzy Hash: D8D05281A0AC4E17E2A422A808662310A82EF8960AF940178A6ADC52D7DC2C2A560289
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B8808CA Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db4f5a70dd7605b02c23e70e4a5ad98227e116a864926dd0cc2a10661d44250c
                                                  • Instruction ID: 333b28744a3e14a27288021c72c7389bafc692a8b9e7e84a4b7b8e32d05d06fb
                                                  • Opcode Fuzzy Hash: db4f5a70dd7605b02c23e70e4a5ad98227e116a864926dd0cc2a10661d44250c
                                                  • Instruction Fuzzy Hash: 48D0C931E4980DAFDB50EF98E8515ECB774EF48214F4052B6D41DE31A1DF302A518640
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B88BC88 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1cca9d5f6a5b568a6dbb7487ee41da1ae8fd07f72a79c88df1c12478491ffae
                                                  • Instruction ID: db57b0cfab9bcbb3643ac58ee340c4dd45007ce29a00fecb6674adbdd20e576c
                                                  • Opcode Fuzzy Hash: b1cca9d5f6a5b568a6dbb7487ee41da1ae8fd07f72a79c88df1c12478491ffae
                                                  • Instruction Fuzzy Hash: 00C09B1278A91D0ED5A49A5C7C511A4B380D7491717C111B7D909C525AD87B494147C1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00007FFD9B887822 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c0f0545fb1ff73b3f4db4950643f9db7b1d6ade065982cb7f60346f8b6702159
                                                  • Instruction ID: 0bc2d75ccac629d514420a617cbba2d32b18c4acd56a71c1f9cfdd0958091052
                                                  • Opcode Fuzzy Hash: c0f0545fb1ff73b3f4db4950643f9db7b1d6ade065982cb7f60346f8b6702159
                                                  • Instruction Fuzzy Hash: 1390021660990A8FA2A0D9E401A012540D2074815476744348229C3150EC745505D100
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00007FFD9B8868C8 Relevance: .3, Instructions: 286COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1680547869.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b880000_file -pdf.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94bac7b5c4919b80d959a513da63db200b354b2b8469b5d84a30b8e19519b252
                                                  • Instruction ID: f04662ab4e72e6631f63072e4d29595fd3beb772aca526c08910fae216064cee
                                                  • Opcode Fuzzy Hash: 94bac7b5c4919b80d959a513da63db200b354b2b8469b5d84a30b8e19519b252
                                                  • Instruction Fuzzy Hash: 0291F23090E7C95FD3269B648C655617FF4EB57310F1A42EED0CAC70A3EA28A846C792
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%